Victims Are Frequently Attacked at the Same Time by Several Ransomware Groups

Being posted on a ransomware leak website isn’t just embarrassing; it could also open you vulnerable to a follow-up attack from other ransomware gangs that believe the original vulnerability hasn’t been fixed. A rise in occurrences involving numerous criminal gangs distributing ransomware onto the same victim has been noticed, according to cybersecurity company Sophos.

One explanation for this is the ransomware business model, which is based on a central organization using affiliates to carry out the actual software delivery. In turn, many of those affiliates depend on access brokers who promote hacked networks on black market websites (see: More Ransomware-as-a-Service Operations Seek Affiliates).  

It is easier for “opportunistic, lower-tier” ransomware perpetrators to keep an eye on leak sites run by ransomware gangs who coerce victims into paying up by naming and shaming them. By taking a chance on a ransomware victim’s lax protection, you have nothing to lose. According to a recent analysis from Sophos, “targeting firms that appear on leak sites won’t cost them anything.”  

Due to the nature of ransomware leak boards, lower-level thieves may think the vulnerability is still present. An addition on a ransomware board most often indicates that the victim hasn’t complied with the demand, possibly for days or even weeks, according to security researcher Kevin Beaumont. The thinking goes, according to Sophos, “If a victim hasn’t replied to a ransom demand, they might not have addressed the infection vector, either.”

Of course, bottom feeders aren’t the primary cause of concurrent ransomware attacks. Typically, the access brokers that hackers employ to select ready and simple targets do not offer exclusive access.  

The security company also believes that ransomware groups don’t seem to have a problem launching multiple attacks against the same victim. Ransomware operators do not kill off competing processes, in contrast to other malware operators like criminals who covertly mine cryptocurrency. Ransomware isn’t limited by the requirement for long-term, undetected access, in contrast to cryptojacking, which functions best through unrestricted access to the victim’s computational resources.

It’s difficult to say if overlapping attacks are advantageous or disadvantageous from the attacker’s point of view. On the one hand, anything that puts more pressure on people to pay up is a good thing. On the other hand, additional encryption layers prevent attackers from threatening to expose the data if the ransom is not paid.  

“In general, ransomware gangs don’t seem to be openly at odds with one another. In actuality, LockBit expressly does not prohibit affiliates from cooperating with rivals “John Shier, senior security counsel at Sophos, makes this statement in reference to the well-known ransomware-as-a-service organization. The research also states that even if the victim corrected the initial vulnerability, ransomware attacks can spiral out of control.

Following a successful attack, ransomware groups could leave a backdoor in the enterprise network. In one case that Sophos highlighted, a victim was the target of two ransomware assaults within a four-month period, the second of which resulted from the backdoor that the threat actor in the first attack left behind and which was then discovered and exploited by yet another attacker.