Sunday, November 24, 2024

Trending Topics

HomeTechnologyOnce, Twice, Three Times A Ransomware Victim: Triple-Hacked In Just 2 Weeks

Once, Twice, Three Times A Ransomware Victim: Triple-Hacked In Just 2 Weeks

spot_img

Cybersecurity Once, Twice, Three Times A Ransomware Victim: Triple-Hacked In Just 2 Weeks Davey Winder Senior Contributor Opinions expressed by Forbes Contributors are their own. Co-founder, Straight Talking Cyber New! Follow this author to stay notified about their latest stories. Got it! Aug 13, 2022, 06:02am EDT | New! Click on the conversation bubble to join the conversation Got it! Share to Facebook Share to Twitter Share to Linkedin In his play, The Importance of Being Earnest, Oscar Wilde famously wrote: “To lose one parent, Mr.

Worthing, may be regarded as a misfortune; to lose both looks like carelessness. ” If he were alive today, Wilde could well be saying, “To be compromised by one ransomware actor may be regarded as unfortunate, to be compromised three times in two weeks looks like poor security posture. ” Yet, as outlined in a new Sophos report, here we are.

That’s exactly what happened to one enterprise, an unnamed automotive supplies company, which fell victim to three different ransomware groups, three times, in the space of just 14 days. MORE FROM FORBES Cisco Hacked: Ransomware Gang Claims It Has 2. 8GB Of Data By Davey Winder Once, twice, three times a ransomware victim In the ‘ Multiple attackers: A clear and present danger ‘ whitepaper, Matt Wixey from the Sophos X-Ops team, reports there has been “an uptick in the number of cases where organizations have been attacked multiple times.

” The attackers, in this case, were the ransomware gangs known as Hive, LockBit and BlackCat. The first two compromises happened very close together, separated by no more than 120 minutes in fact. The third, also successful, took place a full two weeks later.

Each, however, left a ransom note, and, ultimately, some files were encrypted three times, making them all but impossible to retrieve. MORE FOR YOU iOS 15: Apple Issues 22 Important iPhone Security Updates Widely-Used Hikvision Security Cameras Vulnerable To Remote Hijacking iOS 15 Is Available Now With These Stunning New iPhone Privacy Features Exploring the triple-threat ransomware timeline According to the Sophos analysts, the timeline started way back on December 2, 2021, when a 52-minute remote desktop protocol (RDP) session by a likely internet access broker on the victim’s domain controller took place. This paved the way for the triple-whammy ransomware attack to actually begin in earnest on April 20 when a LockBit affiliate accessed the network and exfiltrated data.

The same threat actor returned on April 28 to steal passwords, and on May 1 the ransomware binary is executed to encrypt data and drop a ransom note. This was quickly followed, in less than two hours as already mentioned, by a Hive affiliate dropping its own ransomware, encrypting the data again, and leaving another ransom demand. The final part of this threat trilogy happened on May 15, with a BlackCat group affiliate moving laterally through the network and dropping two ransomware binaries, encrypting data for the third time now.

That same group returned two hours later to delete event logs relating to the activity of all three criminal outfits. A Sophos rapid response team was engaged later that same day. The triple-ransomware attack timeline Sophos How common is the multi-attack ransomware threat? This series of incidents was atypical, it must be said, as Sophos says, that most often, the gap between attacks is six weeks when the same organization is impacted.

The end result, however, is the same: incident response is made more difficult, and, depending on how short the gap between successful compromises, data recovery complexity is also increased. Sophos points out that it’s unusual for most criminal groups to work collaboratively, with many crypto mining and remote access trojan (RAT) exploits sold on the criminal forums advertising their ability to ‘kill’ other malware on the system. Ransomware groups could be an exception to this ‘no honor among thieves’ rule.

We already know that most ransomware actors, who control the code and the ransom demand dashboards, contract out the compromise phase of an attack to affiliate groups who get a cut of any ransom profit. These affiliates, in turn, buy their way into a network through internet access brokers (IABs) who advertise complete exploit packages. In the triple-threat case, BlackCat was the last group to arrive and deleted traces of the previous ransomware activity as well as its own.

MORE FROM FORBES New Gmail Attack Bypasses Passwords And 2FA To Read All Email By Davey Winder Unlike criminal cryptomining gangs, could ransomware actors be collaborating? While Sophos doesn’t have any evidence of such collaboration here, John Shier, senior security advisor at Sophos, says that it is possible gangs could be “having discussions at a high level, agreeing to mutually beneficial agreements, for example, where one group encrypts the data and the other exfiltrates. ” Shier also posits there could be a line of thinking that multiple attacks pile on the pressure to meet ransom demands. What’s most interesting to me here are the mechanics of the attacks, the ‘how’ they were able to succeed one after the other.

Interesting and important because understanding this helps us think strategically about multi-attack mitigation measures. Sophos says that multiple exploitations such as this are usually explained by two core failings: · Unpatched vulnerabilities and misconfigurations have not been addressed quickly enough following the first attack, enabling a second threat actor to piggyback in through the same holes. · Incomplete incident response to the first attack, or attacks in this example, effectively leaving a backdoor through which more threat actors can pile in.

MORE FROM FORBES Microsoft Confirms High-Impact Windows 10, 11 & Server Attacks-Update Now By Davey Winder Follow me on Twitter or LinkedIn . Check out my website or some of my other work here . Davey Winder Editorial Standards Print Reprints & Permissions.


From: forbes
URL: https://www.forbes.com/sites/daveywinder/2022/08/13/once-twice-three-times-a-ransomware-victim-triple-hacked-in-just-2-weeks/

DTN
DTN
Dubai Tech News is the leading source of information for people working in the technology industry. We provide daily news coverage, keeping you abreast of the latest trends and developments in this exciting and rapidly growing sector.

LEAVE A REPLY

Please enter your comment!
Please enter your name here

spot_img

Must Read

Related News