New research from Sophos discovers Hive, LockBit and BlackCat ransomware gangs consecutively or simultaneously attacking the same network.

New research presented in the Sophos X-Ops Active Adversary whitepaper “Multiple Attackers: A Clear and Present Danger” found that Hive, LockBit and BlackCat – three prominent ransomware gangs – consecutively attacked the same network.

The first two attacks took place within two hours, and the third attack took place two weeks later. Each ransomware gang left its own ransom demand, and some of the files were triple-encrypted.

The whitepaper further outlines additional cases of overlapping cyber-attacks, including cryptominers, remote access trojans (RATs) and bots. In the past, when multiple attackers have targeted the same system, the attacks usually occurred across many months or multiple years. The attacks described in Sophos’ whitepaper took place within days or weeks of each other — and, in one case, simultaneously — often with the different attackers accessing a target’s network through the same vulnerable entry point.

Most of the initial infections for the attacks highlighted in the whitepaper occurred through either an unpatched vulnerability, with some of the most notable being Log4Shell, ProxyLogon, and ProxyShell, or poorly configured, unsecured Remote Desktop Protocol (RDP) servers.

In most of the cases involving multiple attackers, the victims failed to remediate the initial attack effectively, leaving the door open for future cybercriminal activity. In those instances, the same RDP misconfigurations, as well as applications like RDWeb or AnyDesk, became an easily exploitable pathway for follow-up attacks. In fact, exposed RDP and VPN servers are some of the most popular listings sold on the dark web.