“This is something we’re seeing affecting more and more organizations, and it’s likely due to an increasingly crowded market for threat actors, as well as ransomware-as-a-service (RaaS) becoming more professionalized and lowering the bar to entry.”
“Many listings don’t include any mention of exclusivity at all,” according to Sophos. “And while reselling is generally forbidden on forums, it’s entirely possible that many AaaS listings are non-exclusive, and sold to multiple buyers to take advantage of growing demand – resulting in multiple attacks. In fact, on some marketplaces, such as Genesis, exclusivity can even require an additional fee.”
While historically threat actors deploying malware have been competitive – as seen with capabilities by cryptominers and RATs to kick other malware families off infected systems – ransomware actors don’t appear to follow this trend, said researchers. In several cases, ransomware groups have observed targeting an organization already under attack by other threat actors, with some groups even operating together in partnership to exfiltrate and encrypt data.
“[When] it comes to attacks, [ransomware groups] generally seem happy to share targets,” said researchers. “They don’t terminate rival ransomware processes, or kick other malware out, because they’re not competing for CPU resources or botnet sizes – and they’re not constrained by the need for long-term, undetected access. So there isn’t really a need to ‘kill the competition.’”
This method appeared to work out for the trio of LockBit, Hive and BlackCat/ALPHV attackers observed by Sophos. After the LockBit affiliate first gained access to the network, the actors were able to exfiltrate data from four systems to cloud storage service Mega. They then moved laterally and leveraged Mimikatz to extract credentials before executing the ransomware binary on nineteen hosts. Less than two hours later, the Hive ransomware affiliate gained initial access and used the legitimate PDQ Deploy tool to deploy their ransomware binary, encrypting data on sixteen hosts. Finally, weeks later the BlackCat/ALPHV affiliate accessed the vulnerable network, moved laterally using compromised credentials, and dropped two ransomware binaries in order to encrypt data on six hosts.
However, while these double or triple ransomware attacks put pressure on the victim to pay, they may also complicate ransomware group tactics, such as the ability to leak data that has already been encrypted by another attackes. Also, if victims are faced with more than one ransom demand they simply may be unable to pay the ransoms.