Hive, LockBit, BlackCat Ransomware Gangs Attack Same Network Sophos

Sophos has announced in the Sophos X-Ops Active Adversary whitepaper, that Multiple Attackers Hive, LockBit, and BlackCat, three prominent ransomware gangs, consecutively attacked the same network.

The first two attacks took place within two hours, and the third attack took place two weeks later. Each ransomware gang left its ransom demand, and some of the files were triple encrypted.

Advanced Coordinated Ransomware Attacks Toward Sophos

John Shier, remarked, that it was bad enough to get one ransomware note, let alone attacks from three teams. Multiple attackers create a whole new level of complexity for recovery, particularly when network files are triple encrypted.

The whitepaper further outlines additional cases of overlapping cyberattacks, including cryptominers, remote access trojans (RATs), and bots. In the past, when multiple attackers have targeted the same system, the attacks usually occurred across many months or multiple years.

The invasions described in Sophos’ whitepaper took place within days or weeks of each other, and in one case simultaneously, often with different attackers accessing a target’s network through the same vulnerable entry point.

Typically, criminal groups compete for resources, making it more difficult for multiple attackers to operate simultaneously. Cryptominers normally kill their competitors on the same system, and today’s RATs often highlight bot killings as a feature on criminal forums.

Possible Cooperative Relationship between Gangs

The attack involving the three ransomware groups, for example BlackCat, the last ransomware group on the system, not only deleted traces of its activity but also deleted the activity of LockBit and Hive.

In another case, a system was infected by LockBit ransomware. Then, about three months later, members of the Karakurt Team, a group with reported ties to Conti, were able to leverage the backdoor LockBit created to steal data and hold it for ransom.

On the whole, ransomware groups don’t appear openly antagonistic towards one another. LockBit explicitly doesn’t forbid affiliates from working with competitors, as indicated in Sophos Whitepaper.

Conceivably they believe the more pressure placed on a target, i.e. multiple attacks, the more likely the victims are to pay. Probably they are having discussions at a high level, agreeing to mutually beneficial agreements, for example, where one group encrypts the data and the other exfiltrates.

In most cases involving multiple attackers, the victims failed to remediate the initial attack effectively, leaving the door open for future cybercriminal activity.