In his play, The Importance of Being Earnest, Oscar Wilde famously wrote: “To lose one parent, Mr. Worthing, may be regarded as a misfortune; to lose both looks like carelessness.” If he were alive today, Wilde could well be saying, “To be compromised by one ransomware actor may be regarded as unfortunate, to be compromised three times in two weeks looks like poor security posture.”
Yet, as outlined in a new Sophos report, here we are. That’s exactly what happened to one enterprise, an unnamed automotive supplies company, which fell victim to three different ransomware groups, three times, in the space of just 14 days.
Once, twice, three times a ransomware victim
In the ‘Multiple attackers: A clear and present danger‘ whitepaper, Matt Wixey from the Sophos X-Ops team, reports there has been “an uptick in the number of cases where organizations have been attacked multiple times.”
The attackers, in this case, were the ransomware gangs known as Hive, LockBit and BlackCat. The first two compromises happened very close together, separated by no more than 120 minutes in fact. The third, also successful, took place a full two weeks later. Each, however, left a ransom note, and, ultimately, some files were encrypted three times, making them all but impossible to retrieve.
Exploring the triple-threat ransomware timeline
According to the Sophos analysts, the timeline started way back on December 2, 2021, when a 52-minute remote desktop protocol (RDP) session by a likely internet access broker on the victim’s domain controller took place. This paved the way for the triple-whammy ransomware attack to actually begin in earnest on April 20 when a LockBit affiliate accessed the network and exfiltrated data.
The same threat actor returned on April 28 to steal passwords, and on May 1 the ransomware binary is executed to encrypt data and drop a ransom note. This was quickly followed, in less than two hours as already mentioned, by a Hive affiliate dropping its own ransomware, encrypting the data again, and leaving another ransom demand.
The final part of this threat trilogy happened on May 15, with…