Three Ransomware Gangs Fight Over Spoils

One Victim – Three Hacking Groups

In recent times, it shows that dark web hacking groups have joined forces together to wreak devastating havoc on the same targeted victim. The latest hacking breach was discovered by cyber security analysts, which stated that hackers from the dark web have been targeting the same victims in quick successions.

Recently, an unnamed supplier of automotive vehicle parts has come under three ransomware attacks within the same period. Two attacks just two hours apart, the third in another two short weeks – One victim.

In May, according to analytical reports, during the noted period, three different ransomware hacking groups were seen compromising the computers of a single victim. The hackers were able to infiltrate the network database and encrypted the private files of the automotive supplier. However, the most devastating attacks took place only within two hours of each other.

The first ransomware attack came when the first suspected hack initially happened when a broker (IAB) accessed the automotive company’s network systems in December 2021. Cyber analysts revealed that the hackers utilized a Remote Desktop Protocol (RDP) connection, thus enabling them to detect that the company’s firewall was improperly configured, which gave the threat actors access to inject their malicious malware payloads.

With newly granted access to the domain controller server, the three recent ransomware attacks were executed by different criminal gangs, who targeted the same security flaw, in short succession.

Three Rapid Ransomware Hacks

The security researchers reported that they found the three separate hacks on the targeted website to be uniquely remote.

According to the team, it is the first occurrence where three independent ransomware groups of criminals exploited a single business, at almost the same time. However, they also acknowledged that recently they have noticed that dual ransomware attacks on the same target have become the new trend from the hacking community.

LockBit, Hive, and ALPHV/BlackCat hackers have been linked to the last three intrusions that were executed only a few weeks apart. The threat actors of each group gained access to the automotive company’s database on April 20, May 1, and May 15. But the last three rapid attacks happened after the initial ransomware attack discovered last April.

On May 1, the first of the three recent attacks was executed by the Hive hackers, and the second was done by the LockBit hacking group with both ransomware payloads transmitted just two hours apart. The analysis provided for each attack shows that both ransomware gangs encrypted over one dozen systems files. In addition, the LockBit threat actors exfiltrated some stolen data that were transferred to the Mega cloud storage service.

The Sophos X-Ops security team revealed that the simultaneous attacks happened because the LockBit ransomware was still in the process of retrieving files to encrypt when the Hive hacking group launched their assault, just about two hours after LockBit. Thus, both ransomware groups detected and encrypt the same files, without any knowledge of the targeted files being already encrypted by the other.

Hackers Delete Footprints

Meanwhile, two weeks later, the BlackCat hackers breach the same victim’s management server, which criminal hackers associated with Hive and LockBit had already infiltrated earlier. Notably, the BlackCat threat actors launch their attack, while the company’s Information Technology team was feverishly working to fix the problem.

But they were still able to gain access through the already installed Atera Agent remote access tool, with this they were able to infiltrate the data network and exfiltrated the company’s private information.

The final attack was the most devastating, as it was very difficult to perform successful recovery of the encrypted files. Sophos’ cyber security team reported that the BlackCat hackers were able to delete the Windows Event Logs, thus making it unlikely to track the three groups of criminals, which had successfully compromised a single victim network systems.