Security News > 2022 > August > Automotive supplier breached by 3 ransomware gangs in 2 weeks
An automotive supplier had its systems breached and files encrypted by three different ransomware gangs over two weeks in May, two of the attacks happening within just two hours.
The attacks followed an initial breach of the company's systems by a likely initial access broker in December 2021, who exploited a firewall misconfiguration to breach the domain controller server using a Remote Desktop Protocol connection.
While dual ransomware attacks are increasingly common, "This is the first incident we've seen where three separate ransomware actors used the same point of entry to attack a single organization," Sophos X-Ops incident responders said in a report published Wednesday.
After the initial compromise, LockBit, Hive, and ALPHV/BlackCat affiliates also gained access to the victim's network on April 20, May 1, and May 15, respectively.
On May 1, LockBit and Hive ransomware payloads were distributed across the network using the legitimate PsExec and PDQ Deploy tools within two hours to encrypt more than a dozen systems during each attack and strong passwords if remote access is needed.
Networks should also be segmented by separating critical servers into VLANs, and the entire network should be scanned and audited for unpatched and vulnerable devices.