The U.S. Federal Bureau of Investigation (FBI) is warning of dual ransomware attacks, a new worrisome trend in the threat landscape that sees threat actors targeting the same victims two times.
“As of July 2023, the FBI noted two trends emerging across the ransomware environment and is releasing this notification for industry awareness. These new trends included multiple ransomware attacks on the same victim in close date proximity and new data destruction tactics in ransomware attacks.” reads the Private Industry Notification published by the FBI.” The FBI noted a trend of dual ransomware attacks conducted in close proximity to one another.”
According to the FBI, threat actors deployed two different ransomware variants in the victims’ networks. The government experts observed the threat actors using the following ransomware families: AvosLocker, Diamond, Hive, Karakurt, LockBit, Quantum, and Royal. Dual ransomware attacks resulted in a combination of data encryption, exfiltration, and financial losses from ransom payments.
“Second ransomware attacks against an already compromised system could significantly harm victim entities.” continues the alert.
The experts also warn that multiple ransomware groups increased the use of custom data theft, wiper tools, and malware to put pressure on the victims and convince them to negotiate. In some cases, ransomware group added their own code to known data theft tools to prevent detection. In other cases in 2022, data wipers remained dormant until a set time to avoid detection and used an intermittent execution to corrupt data.
It is important to remark that dual ransomware attacks are not a new phenomenon, in many cases in the past victims’ systems were infected with multiple strains of ransomware.
Symantec’s Threat Hunter Team recently discovered a new ransomware family, which calls itself 3AM, that to date has only been deployed in a single incident in which the threat actors failed to deploy the LockBit ransomware.
The FBI’s PIN provides recommendations to network defenders for being prepared to respond to cyber incidents, optimizing identity and access management, implementing protective controls and architecture, and enhancing vulnerability and configuration management.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, dual ransomware attacks)