Forget about a single ransomware attack where one hacker or a hacking group targeted a network, infected it with ransomware and demanded ransom to decrypt the data hijacked. Get ready for multiple ransomware attacks on the same network, one after the other, using the same vulnerable door to enter the network.

Hackers have stepped up the attacks by launching a well-orchestrated attacks where more than one hacker or hacking group targets a network, encrypt the data more than once and posing multiple ransom demands to release the data.

This could make the process of reclaiming the data more cumbersome.

Cybersecurity experts have found instances where at least three hacking groups- Hive, LockBit and BlackCat- launched consecutive attacks on the same network.

“The first two attacks took place within two hours, and the third attack took place two weeks later. Each ransomware gang left its own ransom demand, and some of the files were triple encrypted,” cybersecurity solutions firm Sophos has said, referring to one particular example.

Also read:Ransomware attacks on educational institutions shoot up sharply: Sophos’ report

It seems there is no overt enmity or antagonism between the ransomware groups. They do not mind working together in launching coordinated attacks on the same networks.

“It’s bad enough to get one ransomware note, let alone three,” said John Shier, senior security advisor at Sophos.

In a whitepaper on ‘Multiple Attackers: A Clear and Present Danger,’ the firm said multiple attackers can create a whole new level of complexity for recovery, particularly when network files are triple encrypted.

It felt that prevention, detection and response are very critical for organisations of any size and type to secure the data, which can cause severe losses. No business is immune.

Overlapping attacks

The report also cites examples of ‘overlapping cyberattacks’, which include cryptominers, remote access trojans (RATs) and bots.

In the past, when multiple attackers have targeted the same system, the attacks usually occurred across many months or multiple years. Some attacks now are happening within days or weeks of each other. In one case, attacks happened simultaneously.

“We don’t have evidence of collaboration, but it’s possible this is due to attackers recognising that there are a finite number of ‘resources’ in an increasingly competitive market,” Shier said.

“Perhaps, they’re having discussions at a high level, agreeing to mutually beneficial agreements, for example, where one group encrypts the data and the other exfiltrates,” he pointed out.

“While the rise in multiple attackers is still based on anecdotal evidence, the availability of exploitable systems gives cybercriminals ample opportunity to continue heading in this direction,” the report said.