Multiple Attackers: A Clear and Present Danger

Competition has always been fierce among cryptominers and RATs, but ransomware bucks the trend.

Since their inception, the Sophos Managed Detection and Response (MDR) and Rapid Response (RR) teams have been called in to investigate hundreds of ransomware incidents, including intervening in active attacks where the attackers were still on the target’s network.

In recent months, we’ve noticed an uptick in the number of cases where organizations have been attacked multiple times. Some attacks take place simultaneously; others are separated by a few days, weeks, or months. Some involve different kinds of malware, or double – even triple – infections of the same type.

Multiple attacks can be devastating for victims. Not only do they complicate remediation and business continuity plans, but the financial, reputational, and psychological impacts can be overwhelming. Our findings suggest a typical gap of around six weeks between attacks in cases where the same organization is attacked multiple times.

We wanted to explore how (and why) multiple attacks happen to certain targets. Recent case studies from our MDR and RR teams help illustrate the question of how these attacks transpire; cooperation and competition among threat actors can explain the why. Based on this analysis, we’ve provided eight pieces of advice that can help prevent multiple attacks.

By Matt Wixey, Sophos X-Ops