The FBI is warning of dual ransomware attacks, where victim organizations are hit with two different types of ransomware variants in quick succession - sometimes within 48 hours of each other.
Several factors are enabling these types of dual attacks. Attackers are getting quicker when it comes to exploiting zero day vulnerabilities. At the same time, the ransomware threat landscape is becoming both more crowded, and initial access brokers are reselling access to victim systems. For victims, these dual ransomware attacks result in data being encrypted or exfiltrated multiple times, making incident response even more complex and difficult. This could potentially "significantly harm" impacted organizations, said the FBI.
“During these attacks, cyber threat actors deployed two different ransomware variants against victim companies from the following variants: AvosLocker, Diamond, Hive, Karakurt, LockBit, Quantum, and Royal,” said the FBI this week in a Private Industry Notification, which it releases to help keep organizations aware of the latest cybersecurity threats. “Variants were deployed in various combinations. This use of dual ransomware variants resulted in a combination of data encryption, exfiltration, and financial losses from ransom payments.”
What’s not clear is how prevalent these types of attacks actually are. Though the FBI noted that it has seen this method trending since July, this tactic is also not completely new. Last year, researchers with Sophos noted an uptick in organizations being hit by two or more threat actors. In one incident, researchers observed an organization’s data encrypted by three separate ransomware variants - Hive, LockBit and ALPHV/BlackCat - with the first two attacks happening within two hours and the third happening weeks later. In this incident, all three ransomware groups left their own ransom demand and the organization’s files were encrypted two, or in some cases three, times.
Ransomware actors in general are deploying several other tactics to put further pressure on victims during attacks. The FBI said that in early 2022, many groups increasingly started to use custom data theft, wiper tools and malware in their attacks.
“In some cases, new code was added to known data theft tools to prevent detection,” said the FBI. “In other cases in 2022, malware containing data wipers remained dormant until a set time, then executed to corrupt data in alternating intervals.”
Overall, the FBI recommends that enterprises take several steps to protect themselves against these specific types of tactics. That includes maintaining offline data backups, making sure all backup data is encrypted and making sure that all connections between third-party vendors or software are monitored for suspicious activity. Other mitigations include keeping all operating systems and software up to date, aligning with NIST’s password policy standards, implementing MFA and reviewing domain controllers, servers and active directories for new or unrecognized accounts.