Black Hat insights: Getting bombarded by multiple ransomware attacks has become commonplace

By Byron V. Acohido

The top ransomware gangs have become so relentless that it’s not unusual for two or more of them to attack the same company within a few days – or even a few hours.

Related: How ‘IABs’ foster ransomware

And if an enterprise is under an active ransomware attack, or a series of attacks, that’s a pretty good indication several other gangs of hacking specialists came through earlier and paved the way.

In short, overlapping cyber attacks have become the norm. This grim outlook is shared in a new white paper from Sophos. The report paints a picture of ransomware gangs arriving on the scene typically after crypto miners, botnet builders, malware embedders and initial access brokers may have already profited from earlier intrusions.

I had the chance to discuss these findings last week at Black Hat USA 2022, with John Shier, senior security advisor at Sophos, a next-generation cybersecurity leader with a broad portfolio of managed services, software and hardware offerings. For a drill down on our discussion, please give the accompanying podcast a listen. Here are the key takeaways:

Common infection paths

Security teams face a daunting challenge. They must detect and remediate multiple cyber attacks by numerous, determined hacking groups, sometimes coming at them simultaneously and quite often seeking different objectives.

Major vulnerabilities left unpatched, as well as weakly configured system administration tools are sure to get discovered and manipulated, not just once, but many times over. Companies today must stay on alert for a variety of leading-edge malware and be prepared to remediate double or even triple infections.

“The attackers are really competing for a quasi-non-exhaustible resource,” says Shier. “It’s not like if you’re trying to extract oil, and once the oil is out of the ground, it’s gone; a vulnerable system will continue to be vulnerable — until it’s patched.”

Sophos’ report shares findings from four separate ransomware attacks which took place within days or weeks of each other, and, in one case, simultaneously. Most of the initial infections took advantage of an unpatched vulnerability, notably Log4Shell, ProxyLogon, and ProxyShell, or involved the manipulation of a weakly configured Remote Desktop Protocol (RDP) server.

Remediation obstacles

In an increasingly crowded threat environment, with active hacking groups bumping into each other, unpatched vulnerabilities and misconfigured servers get quickly discovered — and exploited to the hilt. In this maddeningly complex operating environment, the attackers are going to great lengths to hide their tracks, making comprehensive remediation a huge challenge.

Often companies fail to identify the vulnerability or misconfiguration exploited by the attackers, leaving the door open for other hackers to discover and exploit, Shier says.

In one of Sophos’ case studies, three prominent ransomware gangs — Hive, LockBit and BlackCat — attacked the same network, one after the other. The first two attacks took place within two hours, and the third attack took place two weeks later. Each of the three ransomware gangs encrypted whatever systems they could get their hands on; and each left its own ransom demand. Thus, some of the victim company’s assets got triple encrypted.

“All three of these actors abused a firewall misconfiguration that was exposing a RDP server,” Shier told me. “LockBit went in first and exfiltrated data and passwords, and then used PsExe to distribute their ransomware payload. So they used a hacking tool with a bit of living-off- the-land technique. The second group, Hive, used that same RDP access to get into the environment and move laterally within the organization and that occurred just two hours after the LockBit attackers had been in that particular network.”

More tightening required

Even for companies with disaster recovery and incidence response plans in place, withstanding multiple cyber attacks can be challenging. This is because one hacking group’s obfuscation tactics can hide the tracks of other attackers who’ve been there before them. Thorough remediation can be time consuming and expensive and business continuity can still be materially disrupted.

The financial and reputational damage can be devastating, and the psychological impact overwhelming. “The question isn’t if you’ll get attacked again, it’s how many more times,” Shier observes.

Fresh intelligence like this from the ground floor of the cyber underworld  can and should serve as yet another wake up call. At this point, there’s little mystery about what companies need to do. Remediate breaches more comprehensively. Get much better at quickly patching critical vulnerabilities. Configure system administrative tools more wisely.

Observes Shier: “There are a lot of things we learned at the birth of the Internet that still apply today; security principles like least privileges and segregation of high value targets are vital. We’re starting to come back to those principles once more, under the guise of codifying things like Zero Trust Network Access, a framework that allows you to deploy and not necessarily trust anything until it has proven itself trustworthy through identity mechanisms baked into the protocol.”

Shier is spot on. Things are moving in a positive direction, albeit incrementally. For instance, he pointed out that after a spike in new RDP activation — in response to the rise in remote work scenarios triggered by Covid 19 — companies soon commenced implementing tighter controls via embracing frameworks like ZTNA.

There remains plenty of room for significantly more tightening, of course. I’ll keep watch and keep reporting.


Pulitzer Prize-winning business journalist Byron V. Acohido is dedicated to fostering public awareness about how to make the Internet as private and secure as it ought to be.

(LW provides consulting services to the vendors we cover.)

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someone