Beware of simultaneous cyber attacks, warns Sophos

It’s bad enough to be victimized by one threat actor at a time. But according to researchers at Sophos, some organizations are being struck by multiple attackers.

“Some attacks take place simultaneously; others are separated by a few days, weeks, or months,” Sophos said in a report today. “Some involve different kinds of malware, or double – even triple – infections of the same type.”

In one case study, three prominent ransomware gangs — Hive, LockBit and BlackCat — consecutively attacked the same network in rapid succession – each with its own ransom demand, with some files triple encrypted.

The researchers aren’t certain if multiple attacks are increasing. But Peter Mackenzie, Sophos’ director of incident response, said they are increasingly affecting more organizations. “It’s likely due to an increasingly crowded market for threat actors, as well as ransomware-as-a-service (RaaS) becoming more professionalized and lowering the bar to entry.”

The report says

  • the key drivers of multiple exploitations are vulnerabilities and misconfigurations going unaddressed after a first attack;
  • multiple attacks often involve a specific sequence of exploits, especially after big, widespread vulnerabilities like ProxyLogon/ProxyShell are disclosed – with cryptominers arriving first, followed by wormable botnet builders, RATs, initial access brokers (IABs), and ransomware;
  • while some threat actors are interdependent (e.g., initial access brokers later enabling ransomware), others, such as cryptominers, try to terminate rival malware, and may even ‘close the door’ by patching vulnerabilities or disabling vulnerable services after gaining access;
  • historically, threat actors have been protective of their infections, to the extent of kicking rivals off compromised systems;
  • ransomware actors, despite occasionally tangling with each other, seem less concerned about competition, and sometimes adopt strategies that directly or indirectly benefit other groups;
  • certain features of the underground economy may enable multiple attacks – for instance, initial access brokers reselling accesses, and ransomware leak sites providing data that other threat actors can later weaponize.

Sophos said in one of the attacks it studied, a ransomware group installed a backdoor which was later abused by a second ransomware group. In another incident, an organization was attacked by three ransomware groups in the space of a few weeks, all using the same misconfigured RDP server to gain access. Once inside, some files were encrypted by all three groups.

IT and security teams can lower the risk of being victimized by such attacks through basic cybersecurity hygiene, the report says. That means

–update everything;

–prioritize worst bugs first;

–work to eliminate misconfigurations;

–assume other attackers have found your vulnerabilities;

–don’t be slow in addressing an attack in progress;

–remember ransomware gangs often play nice with each other (as opposed to kicking someone off the network);

–noting that attackers open new backdoors;

–and remembering that some attackers are worse than others. “Not all ransomware strains are equal,” says the report. “Some have capabilities and features that may complicate attempts to respond to and investigate others – another reason to try to avoid becoming a victim of multiple attacks.”

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@]

Featured Articles

Empowering the hybrid workforce: how technology can build a better employee experience

Across the country, employees from organizations of all sizes expect flexibility...

What’s behind the best customer experience: How to make it real for your business

The best customer experience – the kind that builds businesses and...

Overcoming the obstacles to optimized operations

Network-driven optimization is a top priority for many Canadian business leaders...

Thriving amid Canada’s tech talent shortage

With today’s tight labour market, rising customer demands, fast-evolving cyber threats...

Staying protected and compliant in an evolving IT landscape

Canadian businesses have changed remarkably and quickly over the last few...

Related Tech News

Tech Jobs

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Tech Companies Hiring Right Now