An increasing number of ransomware victims are discovering they’re being attacked by a number of gangs, with assaults happening in waves that may be days or perhaps weeks aside, and generally even happen concurrently, in line with cyber kingpin Sophos.
Presenting its findings at Black Hat USA 2022 in Las Vegas, the Sophos X-Ops group discovered that a number of ransomware exploitations boil down to 2 key points: the goal having failed to handle important exploitable vulnerabilities of their techniques (Log4Shell, ProxyLogon and ProxyShell being essentially the most extensively used); or the goal having failed to handle malicious tooling or misconfigurations that earlier attackers had left behind them.
Moreover, X-Ops – a just lately launched unit inside the enterprise that’s bringing collectively its analysis and menace response groups to create an “AI-assisted” safety operations centre (SOC) – mentioned that in lots of circumstances, access-as-a-service (AaaS) listings posted to darkish net markets by preliminary entry brokers (IABs) are bought on a non-exclusive foundation, which means they’re bought to a number of consumers many occasions over.
“It’s dangerous sufficient to get one ransomware be aware, not to mention three,” mentioned John Shier, senior safety advisor at Sophos. “A number of attackers create an entire new stage of complexity for restoration, significantly when community information are triple encrypted. Cyber safety that features prevention, detection and response is crucial for organisations of any measurement and kind – no enterprise is immune.”
In its whitepaper A number of attackers: A transparent and current hazard, X-Ops shares the story of 1 latest incident by which three totally different ransomware crews – Hive, LockBit and BlackCat – consecutively attacked the identical sufferer community, with the primary two incidents unfolding within the house of simply two hours, whereas the third assault got here a fortnight later. In every case, every gang left its personal ransom demand, and a few of the sufferer’s information had been encrypted thrice over.
This assault dates again to 2 December 2021, when a probable IAB established a distant desktop protocol (RDP) session on the sufferer’s area controller in a session lasting 52 minutes. Every part then went quiet till 20 April 2022, when LockBit gained entry to the community – presumably, although not essentially, through the uncovered RDP occasion – and exfiltrated knowledge from 4 techniques to the Mega cloud storage service. A little bit over every week later, on 28 April, the LockBit operator started shifting laterally and executed Mimikatz to steal passwords.
Then, on 1 Might, they created two batch scripts to distribute the ransomware binary utilizing the respectable PsExec software. It took 10 minutes to execute the binary on 19 hosts, encrypt the information and drop ransom notes. Nonetheless, inside the house of 120 minutes, a Hive affiliate appeared on the community utilizing the PDQ Deploy software to distribute their very own ransomware binary, which executed inside 45 minutes on 16 hosts.
The BlackCat (aka ALPHV) assault befell on 15 Might, when an affiliate gained entry to the community, moved laterally utilizing stolen credentials, and distributed their ransomware binaries, once more utilizing PsExec. These executed on six hosts inside half-hour, after which BlackCat began to clear the sufferer’s Home windows Occasion Logs relating not solely to their assault, however to these of LockBit and Hive. This considerably sophisticated subsequent Sophos investigations – which was, in fact, BlackCat’s intention.
The X-Ops group mentioned cyber prison gangs had been competing for assets which might be in the end restricted to a point, making it tougher for them to function concurrently, and in a few of the different assaults detailed within the intensive whitepaper, the group described how different sorts of malware, like cryptominers or distant entry trojans (RATs), usually make a advantage of with the ability to kill off opponents if discovered.
Nonetheless, mentioned Shier, within the case of ransomware gangs, there seems to be much less open antagonism. “Actually,” he mentioned, “LockBit explicitly doesn’t forbid associates from working with opponents, as indicated within the Sophos whitepaper.
“We don’t have proof of collaboration, however it’s potential this is because of attackers recognising that there are a finite variety of ‘assets’ in an more and more aggressive market. Or, maybe they consider the extra strain positioned on a goal – i.e. a number of assaults – the extra probably the victims are to pay. Maybe they’re having discussions at a excessive stage, agreeing to mutually useful agreements, for instance, the place one group encrypts the information and the opposite exfiltrates.
“In some unspecified time in the future, these teams must determine how they really feel about cooperation – whether or not to additional embrace it or turn into extra aggressive – however for now, the taking part in subject is open for a number of assaults by totally different teams.”
Sophos has beforehand reported on comparable assaults, earlier this yr detailing the story of 1 US public sector sufferer which fell sufferer to a very messy assault, additionally involving LockBit.
On this assault, the preliminary compromise befell in September 2021 through RDP and noticed an attacker acquire entry to one of many sufferer’s servers which they then used to analysis hacking instruments that they then tried to put in.
Nonetheless, in January 2022 somebody with entry to the community began to behave in a method that instructed a separate group had turn into concerned – the exercise grew to become altogether extra expert and centered, and in the end, {a partially} profitable LockBit assault occurred.
This might point out a lot of totally different eventualities, however based mostly on X-Ops analysis, it is rather probably additionally an instance of entry having been bought on to a number of teams.
As with all investigation counting on observations made or incidents responded to by a single cyber firm, it’s exhausting to say with any statistical certainty that a number of assaults are a pattern, however Sophos incident response director Peter MacKenzie mentioned the indicators pointed to a solution within the affirmative. “That is one thing we’re seeing affecting an increasing number of organisations,” he mentioned.
As ever, consideration totally paid to some primary features of cyber hygiene will scale back one’s probabilities of falling sufferer to any cyber assault – not to mention a number of concurrent ones.
High suggestions embrace patching early and sometimes, and guaranteeing patches are accurately utilized; monitoring the cyber neighborhood and information agenda to get a heads up on new vulnerabilities; monitoring and responding to alerts, significantly throughout off-peak hours, at weekends or holidays; locking down accessible companies utilized by VNC, RDP and the like; working towards segmentation and 0 belief; implementing sturdy passwords and multifactor authentication (MFA); taking inventories of all belongings and accounts; utilizing layered safety to dam attackers at multiple level, and lengthening that to all permitted endpoints; and configuring merchandise accurately and checking them steadily.