Ransomware Leak Site Listings Invite Follow-On AttacksVictims Often Attacked Simultaneously by Multiple Ransomware Groups
Being listed on a ransomware leak site isn't just embarrassing - it may also be an invitation for a follow-up attack by other ransomware gangs betting that the original vulnerability has gone unpatched.
Cybersecurity firm Sophos says it's detected an uptick in incidents involving multiple criminal gangs dropping ransomware onto the same victim.
One reason for that stems from the business model behind ransomware: a service powered by a central group that relies on affiliates to do the actual work of delivering malware. Many of those affiliates, in turn, rely on access brokers who advertise compromised networks on criminal marketplaces (see: More Ransomware-as-a-Service Operations Seek Affiliates).
For "opportunistic, lower-tier" ransomware actors, it's simpler to monitor the leak sites maintained by ransomware gangs who pressure victims into paying up through naming and shaming. There's nothing to lose by gambling on the poor security of a ransomware victim. "It won't cost them anything to target organizations that appear on leak sites," Sophos says in a new report.
One reason lower-tier criminals may suspect the vulnerability remains open comes down to the nature of ransomware leak boards. As security research Kevin Beaumont points out, an entry on a ransomware board likely means the victim hasn't responded to the demand, perhaps for days or even weeks. "If a victim hasn't responded to a ransom demand, they might not have addressed the infection vector, either," goes the reasoning, says Sophos.
Bottom feeders aren't the only reason simultaneous ransomware attacks occur, of course. The access brokers cybercriminals use to find ready and easy victims typically don't sell exclusive access.
Multiple attacks on the same victim doesn't seem to be a big deal for ransomware groups, the security firm also concludes. Unlike other malware operators such as criminals who surreptitiously mine cryptocurrency, ransomware operators don't terminate rival processes. Unlike cryptojacking, which works best through unfettered access to the victim's computing resources, ransomware isn't constrained by a need for long-term, undetected access.
Whether overlapping attacks are a good or bad thing, from the attacker's perspective, is hard to say. On one hand, anything that applies additional pressure for paying up is good. On the other, multiple layers of encryption mean attackers can't threaten to leak the data as a consequence for failure to pay the ransom.
"On the whole, ransomware groups don't appear openly antagonistic toward one another. In fact, LockBit explicitly doesn't forbid affiliates from working with competitors," says John Shier, senior security adviser at Sophos, referring to the high-profile ransomware-as-a-service group.
The report also says that one ransomware attack may lead to another, even if the victim patched the original vulnerability. Ransomware groups may leave a backdoor in the company network after a successful attack. In one incident highlighted by Sophos, a victim experienced two ransomware attacks within four months, the second stemming from the backdoor the threat actor in the first attack left behind that was found and used by yet another attacker.