The unspecified target fell victim to three prominent forms of ransomware – LockBit, Hive and BlackCat – with each cyber criminal gang encrypting files and leaving their own ransom demand for a decryption key.
According to analysis of the incidents, the first sign of suspicious activity occurred on December 2nd 2021, with an unknown attacker, possibly an initial access broker – a malicious hacker who breaches networks and sells access to other cyber criminals – establishing a remote desktop protocol (RDP) session on the organisation's domain controller for almost an hour.
Nothing happened for months – but then on April 20th 2022 a LockBit ransomware affiliate gained access to the corporate network, likely through the same vulnerable RDP instance, and started to steal data from four systems, exfiltrating it to a cloud storage service - likely for the purposes of a double extortion attack.
About a week later, the LockBit attacker was moving laterally around the network, using tools to steal passwords to gain access to additional systems and accounts in their quest to encrypt as many files and servers as possible.
Within a few days, ransomware was executed across at least nineteen systems, encrypting data and dropping ransom notes onto each infected machine. But things only got worse from there as the organisation came under attack from other ransomware groups – with one striking under two hours later.
This time, a cyber criminal operation using Hive ransomware gained access to the network, likely using the same RDP credentials used by the initial access broker and LockBit. The Hive affiliate worked quickly to access as many systems as possible, encrypting at least sixteen machines just 45 minutes later – some of these had already been encrypted by LockBit.
It's possible that the Hive attacker saw LockBit get deployed on the network and moved quickly to ensure that they could also attempt to make money from their own ransom demands.
But that wasn't the end of the ransomware attacks, because two weeks later a third ransomware group – BlackCat – also gained access to the network. The attackers moved around the network using stolen usernames and passwords before executing ransomware on several machines, encrypting data and dropping ransom notes.
In addition to this, the BlackCat attackers attempted to clear the logs not only relating to their own activities, but also the actions of the LockBit and Hive attacks. It was after this third incident that Sophos was called in to help fix the situation.
It's unclear whether the multiple attacks were coordinated, or whether it was three separate attacks which just happened to exploit the same vulnerabilities to access the network, but researchers describe the multiple attacks as "a side effect of operating in an increasingly crowded and commoditised marketplace" - and something that can make things much more problematic for victims of attacks.
Because not only are victims facing multiple adversaries, overlapping encryption and removal of data logs means it can be very difficult to recover from attacks – even if a ransom is paid.
"It's bad enough to get one ransomware note, let alone three. Multiple attackers create a whole new level of complexity for recovery, particularly when network files are triple encrypted," said John Shier, senior security advisor at Sophos.
"At some point, these groups will have to decide how they feel about cooperation—whether to further embrace it or become more competitive—but, for now, the playing field is open for multiple attacks by different groups," he added.
Falling victim to even just one ransomware attack and be devastating for an organisation and while it's possible to recover – and without paying a ransom – the best way to stay safe is by avoiding becoming a victim in the first place.
That starts with enforcing strong passwords and multi-factor authentication (MFA) across the network. As demonstrated in the incident above RDP and cloud services can provide cyber criminals with an easy way into networks because using legitimate credentials means they often go undetected – and many users still use easy-to-guess passwords. But by using a more complex password and applying multi-factor authentication, organisations can help protect accounts from being breached and exploited by cyber criminals.