On May 1 2022, an unnamed company in the automotive sector fell victim to what is surely one of the most nightmarishly contorted ransomware incidents ever reported.
Hopefully, that sentence has grabbed your attention because untangling what happened on that day as reported by security company Sophos is a wild ride involving not one, not two, but three separate ransomware groups striking the same target within a matter of days.
Before we describe how this unfolded, let’s first underline that being attacked by three separate ransomware gangs at once isn’t simply three times as bad, it’s potentially many times more complex to respond to.
To give a flavor of what we mean by this, consider the bizarre fact that when Sophos analysts were called in to help, they discovered some files that had been encrypted up to five times over a period of days by successive attackers.
Ponder this for a second: a file that’s already encrypted gets encrypted again and again and again and again. If the victim wants the file back, does that mean they have to pay multiple attackers the same ransom?
Here’s a breakdown.
In December 2021, an unknown hacker used RDP to compromise the Windows domain controller in a session lasting 52 minutes.
In April 2022, an affiliate of the Lockbit group (perhaps tipped off about the likelihood of exposed RDP), returns to steal data from four hosts, extract passwords, and distribute the ransomware that launches the first attack on May 1.
Less than two hours later, a Hive affiliate, also using RDP, enters the network with its own ransomware, executing it on 16 hosts 45 minutes later.
By this stage, the victim realized it was under attack and started the process of restoring systems to the day before the first attack happened, April 30.
As the incident response team busied itself restoring systems from backups, unbeknownst to them a third group, BlackCat/Alphv, had gained access using the same RDP. On 15 May, only a day after the restore process from the previous attacks was completed, the group executed its ransomware.
What do we learn from this series of events?
Beyond the obvious fact that the organization had a weak RDP backdoor into its network, the first is that the third attack effectively erased forensic evidence necessary to understand what happened during the first two. That made the job of securing the victim from future attacks that much harder.
More generally, Sophos advises organizations to:
1. Think like an attacker and scan their network from the outside for exposed ports. Clearly, the victim wasn’t doing that.
2. Make life harder for attackers by segmenting the network.
3. Make life harder still by using multifactor authentication (MFA) on all accounts, especially privileged ones.
4. Prioritize early and regular patching of vulnerable services such as RDP.
Another lesson is not to assume this sort of multi-attack can’t happen to you. Earlier this year, Sophos publicized a similar attack involving two separate ransomware gangs attacking a company on the same day, so this is no longer unheard of.
This is a critical point. If a company fails to detect a major weakness in something like RDP, repeat attacks are now more likely, including within days or even hours of one another.
It’s hard enough cleaning up an attack without contemplating the horrible possibility that another group is quietly undermining this hard work behind your back.