Sophos: Automotive Supplier Falls Victim to Cyber Extortionists Three Times

Sophos: Automotive supplier falls victim to cyber extortionists three times

Groups LockBit, Hive and BlackCat compromised the network within about two weeks. Apparently, they each use the same hacked RDP connection. Only after the third attack the company approached Sophos for help.

An unnamed company from the automotive sector apparently fell victim to ransomware several times within a very short period of time. As researchers from Sophos report, the groups LockBit, Hive and BlackCat attacked the company – the attacks spanned a period of around two weeks in total.

Each gang encrypted files and left its own ransom note. In some cases, files were even encrypted multiple times. It is unclear whether these were coordinated attacks or whether the cyber extortionists just happened to exploit the same vulnerabilities in the network. The researchers call the attacks a “side effect of the increasing crowding and commercialisation of the market” for cyber extortion.

According to the incident analysis, the attacks began as early as 2 December 2021, when an unknown hacker broke into the company’s network and established a remote desktop protocol connection to the company’s domain controller for about an hour.

LockBit copies data to cloud storage

After that, nothing happened for several months until the LockBit ransomware was infiltrated into the company network on 20 April – probably via the same vulnerable RDP instance. Those behind this attack also copied data to a cloud storage in order to be able to blackmail the company with stolen data as well.

Over the next few days, the attackers spread the extortion software across the network and captured passwords to compromise more systems. They encrypted files on at least 19 systems and left a ransom note on each hacked computer.

While this attack was still ongoing, those behind the Hive ransomware also gained access to the company’s network. Sophos suspects that the RDP access credentials that were stolen back in December were used again. The Hive hijackers then encrypted at least 16 computers on the company’s network in just 45 minutes. Some of these had already been encrypted by LockBit before.

BlackCat additionally deletes traces of the attacks

Two weeks later, the third ransomware group, BlackCat, penetrated the network and also compromised several systems and encrypted files. The BlackCat attackers also deleted log files to destroy traces of their intrusion. In the process, records of LockBit and Hive actions were also removed. Only then the company asked Sophos for help.

“It’s already bad enough to receive one ransomware message, let alone three. Multiple attackers create a whole new level of complexity for recovery, especially when network files are triple-encrypted,” said John Shier, senior security advisor at Sophos. “At some point, these groups will have to decide how to think about collaboration – whether to keep promoting it or compete more – but for now, the playing field is open to multiple attacks from different groups.”