Sophos researchers have discovered that the LockBit, Hive
, and BlackCat ransomware operations have simultaneously attacked an unnamed organization, ZDNet
After being subjected to a suspected intrusion from an initial access broker that established a remote desktop protocol session last December, the organization's network was infiltrated by a LockBit ransomware affiliate through vulnerable RDP instance in April, the report revealed.
Nineteen or more systems have been deployed with ransomware by the LockBit affiliate before a Hive ransomware affiliate suspected to use the same RDP credentials worked to immediately encrypt systems. BlackCat attackers were observed to infiltrate the network two weeks later, with the threat actors not only spreading ransomware but also concealing its activities, alongside the attack of LockBit and Hive.
"It's bad enough to get one ransomware note, let alone three. Multiple attackers create a whole new level of complexity for recovery, particularly when network files are triple encrypted. At some point, these groups will have to decide how they feel about cooperation whether to further embrace it or become more competitive but, for now, the playing field is open for multiple attacks by different groups," said Sophos Senior Security Advisor John Shier.