An automotive supplier had its systems breached and files encrypted by three different ransomware gangs over two weeks in May, two of the attacks happening within just two hours.
The attacks followed an initial breach of the company’s systems by a likely initial access broker (IAB) in December 2021, who exploited a firewall misconfiguration to breach the domain controller server using a Remote Desktop Protocol (RDP) connection.
While dual ransomware attacks are increasingly common, “this is the first incident we’ve seen where three separate ransomware actors used the same point of entry to attack a single organization,” Sophos X-Ops incident responders said in a report published Wednesday.
Breached three times within two months
After the initial compromise, LockBit, Hive, and ALPHV/BlackCat affiliates also gained access to the victim’s network on April 20, May 1, and May 15, respectively.
On May 1, LockBit and Hive ransomware payloads were distributed across the network using the legitimate PsExec and PDQ Deploy tools within two hours to encrypt more than a dozen systems during each attack (the LockBit affiliate also stole data and exfiltrated it to the Mega cloud storage service.
“Because the Hive attack started 2 hours after Lockbit, the Lockbit ransomware was still running – so both groups kept finding files without the extension signifying that they were encrypted,” Sophos X-Ops added.
Two weeks later, on May 15, while the automotive supplier’s IT team was still restoring systems, a BlackCat threat actor also connected to the same management server compromised by LockBit and Hive.
After installing the legitimate Atera Agent remote access solution, they gained persistence on the network and exfiltrated stolen data.
Within half an hour, the BlackCat affiliate delivered its own ransomware payloads on the network using PsExec to encrypt six machines after moving laterally through the network using compromised credentials.
Last man out locks the door
By deleting shadow copies and clearing out the Windows Event Logs on the compromised systems, this last attacker also complicated recovery attempts and the Sophos team’s incident response efforts.
The BlackCat affiliate erased evidence that Sophos could’ve used to retrace the three ransomware gangs’ activity while in the victim’s network.
Sophos’ incident responders assisting the victim with the attack investigation in mid-May found files encrypted three times with Lockbit, Hive, and BlackCat ransomware, as well as three different ransom notes on encrypted systems.
“In fact, as shown in the screenshot below, some files had even been encrypted five times,” the Sophos team said.
“Because the Hive attack started 2 hours after Lockbit, the Lockbit ransomware was still running – so both groups kept finding files without the extension signifying that they were encrypted.”
How to defend against ransomware
Sophos also published a whitepaper sharing guidance on defending against similar attacks from multiple ransomware gangs.
Organizations are advised to keep their systems up to date and investigate their environments for backdoors or vulnerabilities introduced by threat actors as a failsafe to regain access to the network if they are evicted.
Sophos also recommends locking down services like VNC and RDP or remote access solutions accessible from the outside.
They should be reachable via VPN and only via accounts with enforced multi-factor authentication (MFA) and strong passwords if remote access is needed.
Networks should also be segmented by separating critical servers into VLANs, and the entire network should be scanned and audited for unpatched and vulnerable devices.