“An automotive supplier had its systems breached and files encrypted by three different ransomware gangs over two weeks in May, two of the attacks happening within just two hours. The attacks followed an initial breach of the company's systems by a likely initial access broker (IAB) in December 2021, who exploited a firewall misconfiguration to breach the domain controller server using a Remote Desktop Protocol (RDP) connection."
Sophos says dual ransomware attacks are increasingly becoming more common, but this is the first incident where they have seen three separate ransomware actors using the same entry point to attack a single organization.
LockBit, Hive, and ALPHV/BlackCat affiliates were able to access the victims network on April 20, May 1, and May 15, respectively.
On May 1, LockBit and Hive ransomware payloads were distributed across the network using the legitimate PsExec and PDQ Deploy tools within two hours to encrypt more than a dozen systems during each attack (the LockBit affiliate also stole data and exfiltrated it to the Mega cloud storage service
Because the Hive ransomware attack started 2 hours after LockBit, both ransomware groups were having trouble finding files that were not encrypted. Two weeks after restoring its systems, a BlackCat threat actor connected to the same management server and installed the Atera remote access solution to exfiltrate stolen data. The BlackCat affiliate then went on to drop its own ransomware payloads using PsExec to encrypt six machines after moving laterally through the network using compromised credentials.
The Sophos responders had trouble retracing all three ransomware actors TTPs as BlackCat cleared out the Windows Event Logs on compromised systems. In total, Sophos found three different ransom notes and that some files had been encrypted five times.
While this is definitely an extreme case, we do see re-infections by different ransomware groups from time to time. Early on it was common for companies to have their cyber insurance providers pay ransoms, but never take care of the security issues that led to the attack, which would lead to re-infection by the same or different ransomware group.
Sophos published a whitepaper sharing guidance on defending against similar attacks from multiple ransomware gangs.
- Organizations are advised to keep their systems up to date and investigate their environments for backdoors or vulnerabilities introduced by threat actors as a failsafe to regain access to the network if they are evicted.
- Lock down services like VNC and RDP or remote access solutions accessible from the outside.
- They should be reachable via VPN and only via accounts with enforced multi-factor authentication (MFA) and strong passwords if remote access is needed.
- Networks should also be segmented by separating critical servers into VLANs, and the entire network should be scanned and audited for unpatched and vulnerable devices.