Three ransomware attacks were launched against a supplier to the automotive industry in May 2022. All three threat actors used different ransomware strains and attack techniques, but they all took advantage of a firewall rule that exposed Remote Desktop Protocol (RDP) on a management server.
The initial ransomware group, known as Lockbit, used Mimikatz to collect passwords while also leaking data to the Mega cloud storage site and transmitting its ransomware software using PsExec.The second gang, known as Hive, used RDP to migrate laterally just two hours after the threat actor from Lockbit dropped their ransomware.
In order to create persistence, an ALPHV/BlackCat associate got access to the network, deployed the Atera Agent (a reliable remote access tool), and then stole data when the victim recovered data from backups. Two weeks after the Lockbit and Hive attacks, the threat actor made their ransomware available and wiped the Windows Event Logs. The Rapid Response (RR) team at Sophos found some files that had been up to five times encrypted as a result of their examination. For the first time, a single company was targeted by three independent ransomware attackers who used the same point of access.
Despite twin ransomware attacks becoming more common, “this is the first occurrence we’ve witnessed where three independent ransomware attackers used the same point of entry to target a single firm,” according to a study published on Wednesday by Sophos X-Ops incident responders.
