Sophos shares data from its new X-Ops unit at Black Hat in NEVADA, revealing an increasing number of ransomware victims being attacked by multiple gangs simultaneously
- Alex Scroxton,Security Editor
Published: 10 Aug 2022 8: 24
A lot more ransomware victims have found they’re being attacked by multiple gangs, with attacks occurring in waves which can be days or weeks apart, or even occur simultaneously, in accordance with cyber kingpin Sophos.
Presenting its findings at Black Hat USA 2022 in NEVADA, the Sophos X-Ops team discovered that multiple ransomware exploitations boil right down to two key issues: the prospective having didn’t address significant exploitable vulnerabilities within their systems (Log4Shell, ProxyLogon and ProxyShell being probably the most trusted); or the prospective having didn’t address malicious tooling or misconfigurations that previous attackers had left out them.
Furthermore, X-Ops a recently launched unit within the business enterprise that is combining its research and threat response teams to generate an AI-assisted security operations centre (SOC) said that oftentimes, access-as-a-service (AaaS) listings posted to dark web markets by initial access brokers (IABs) can be purchased on a non-exclusive basis, meaning they’re sold to multiple buyers often over.
Its bad enough to obtain one ransomware note, aside from three, said John Shier, senior security advisor at Sophos. Multiple attackers develop a whole new degree of complexity for recovery, particularly if network files are triple encrypted. Cyber security which includes prevention, detection and response is crucial for organisations of any size and type no business is immune.
In its whitepaper Multiple attackers: An obvious and present danger, X-Ops shares the story of 1 recent incident where three different ransomware crews Hive, LockBit and BlackCat consecutively attacked exactly the same victim network, with the initial two incidents unfolding in the area of just two hours, as the third attack came a fortnight later. In each case, each gang left its ransom demand, plus some of the victims files were encrypted 3 x over.
This attack goes back to 2 December 2021, whenever a likely IAB established a remote desktop protocol (RDP) session on the victims domain controller in a session lasting 52 minutes. Everything then went quiet until 20 April 2022, when LockBit gained usage of the network possibly, though definitely not, via the exposed RDP instance and exfiltrated data from four systems to the Mega cloud storage service. Just a little over seven days later, on 28 April, the LockBit operator began moving laterally and executed Mimikatz to steal passwords.
Then, on 1 May, they created two batch scripts to distribute the ransomware binary utilizing the legitimate PsExec tool. It took 10 minutes to execute the binary on 19 hosts, encrypt the info and drop ransom notes. However, within the area of 120 minutes, a Hive affiliate appeared on the network utilizing the PDQ Deploy tool to distribute their very own ransomware binary, which executed within 45 minutes on 16 hosts.
The BlackCat (aka ALPHV) attack occurred on 15 May, when a joint venture partner gained usage of the network, moved laterally using stolen credentials, and distributed their ransomware binaries, again using PsExec. These executed on six hosts within 30 minutes, and BlackCat began to clear the victims Windows Event Logs relating not merely with their attack, but to those of LockBit and Hive. This significantly complicated subsequentSophos investigations that was, needless to say, BlackCats intention.
The X-Ops team said cyber criminal gangs were competing for resources which are ultimately limited by some degree, rendering it harder to allow them to operate simultaneously, and in a few of the other attacks detailed in the extensive whitepaper, the team described how other styles of malware, like cryptominers or remote access trojans (RATs), often create a virtue to be in a position to kill off competitors if found.
However, said Shier, regarding ransomware gangs, there is apparently less open antagonism. Actually, he said, LockBit explicitly doesnt forbid affiliates from dealing with competitors, as indicated in the Sophos whitepaper.
We dont have proof collaboration, but its likely this is because of attackers recognising there are a finite amount of resources within an increasingly competitive market. Or, perhaps they believe the more pressure positioned on a target i.e. multiple attacks the much more likely the victims are to cover. Perhaps theyre having discussions at a higher level, agreeing to mutually beneficial agreements, for instance, where one group encrypts the info and another exfiltrates.
At some time, these groups will need to determine how they experience cooperation whether to help expand embrace it or are more competitive but also for now, the playing field is open for multiple attacks by different groups.
Sophos has previously reported on similar attacks, earlier this season detailing the tale of 1 US public sector victim which fell victim to an especially messy attack, also involving LockBit.
In this attack, the original compromise occurred in September 2021 via RDP and saw an attacker access among the victims servers that they then used to analyze hacking tools they then attemptedto install.
However, in January 2022 someone with usage of the network began to act in a manner that suggested another group had get involved the experience became altogether more skilled and focused, and ultimately, a partially successful LockBit attack occurred.
This may indicate a variety of scenarios, but predicated on X-Ops research, it is extremely likely also a good example of access having been in love with to multiple groups.
Much like any investigation counting on observations made or incidents taken care of immediately by way of a single cyber company, it really is hard to state with any statistical certainty that multiple attacks certainly are a trend, but Sophos incident response director Peter MacKenzie said the signs pointed to a remedy in the affirmative. That is something were seeing affecting a growing number of organisations, he said.
As ever, attention fully paid for some basic areas of cyber hygiene will certainly reduce ones likelihood of falling victim to any cyber attack aside from multiple concurrent ones.
Top tips include patching early and frequently, and ensuring patches are correctly applied; monitoring the cyber community and news agenda to obtain a heads through to new vulnerabilities; monitoring and giving an answer to alerts, particularly during off-peak hours, at weekends or holidays; locking down accessible services utilized by VNC, RDP and so on; practicing segmentation and zero trust; enforcing strong passwords and multifactor authentication (MFA); taking inventories of most assets and accounts; using layered protection to block attackers at several point, and extending that to all or any permitted endpoints; and configuring products correctly and checking them frequently.