Ransomware Leak Site Listings Invite Follow-On Attacks

Victims Often Attacked Simultaneously by Multiple Ransomware Groups
Ransomware Leak Site Listings Invite Follow-On Attacks

Being listed on a ransomware leak site isn't just embarrassing - it may also be an invitation for a follow-up attack by other ransomware gangs betting that the original vulnerability has gone unpatched.

See Also: Now OnDemand | C-Suite Round-up: Connecting the Dots Between OT and Identity

Cybersecurity firm Sophos says it's detected an uptick in incidents involving multiple criminal gangs dropping ransomware onto the same victim.

One reason for that stems from the business model behind ransomware: a service powered by a central group that relies on affiliates to do the actual work of delivering malware. Many of those affiliates, in turn, rely on access brokers who advertise compromised networks on criminal marketplaces (see: More Ransomware-as-a-Service Operations Seek Affiliates).

For "opportunistic, lower-tier" ransomware actors, it's simpler to monitor the leak sites maintained by ransomware gangs who pressure victims into paying up through naming and shaming. There's nothing to lose by gambling on the poor security of a ransomware victim. "It won't cost them anything to target organizations that appear on leak sites," Sophos says in a new report.

One reason lower-tier criminals may suspect the vulnerability remains open comes down to the nature of ransomware leak boards. As security research Kevin Beaumont points out, an entry on a ransomware board likely means the victim hasn't responded to the demand, perhaps for days or even weeks. "If a victim hasn't responded to a ransom demand, they might not have addressed the infection vector, either," goes the reasoning, says Sophos.

Bottom feeders aren't the only reason simultaneous ransomware attacks occur, of course. The access brokers cybercriminals use to find ready and easy victims typically don't sell exclusive access.

Multiple attacks on the same victim doesn't seem to be a big deal for ransomware groups, the security firm also concludes. Unlike other malware operators such as criminals who surreptitiously mine cryptocurrency, ransomware operators don't terminate rival processes. Unlike cryptojacking, which works best through unfettered access to the victim's computing resources, ransomware isn't constrained by a need for long-term, undetected access.

Whether overlapping attacks are a good or bad thing, from the attacker's perspective, is hard to say. On one hand, anything that applies additional pressure for paying up is good. On the other, multiple layers of encryption mean attackers can't threaten to leak the data as a consequence for failure to pay the ransom.

"On the whole, ransomware groups don't appear openly antagonistic toward one another. In fact, LockBit explicitly doesn't forbid affiliates from working with competitors," says John Shier, senior security adviser at Sophos, referring to the high-profile ransomware-as-a-service group.

The report also says that one ransomware attack may lead to another, even if the victim patched the original vulnerability. Ransomware groups may leave a backdoor in the company network after a successful attack. In one incident highlighted by Sophos, a victim experienced two ransomware attacks within four months, the second stemming from the backdoor the threat actor in the first attack left behind that was found and used by yet another attacker.


About the Author

Prajeet Nair

Prajeet Nair

Principal Correspondent, ISMG

Nair is principal correspondent for Information Security Media Group's global news desk. He has previously worked at TechCircle, IDG, Times Group and other publications where he reported on developments in enterprise technology, digital transformation and other issues.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing govinfosecurity.com, you agree to our use of cookies.