Rewterz Threat Update – FBI Warns of the Growing Trend of Dual Ransomware Attacks Against U.S. Companies

Severity

High

Analysis Summary

There is a warning issued by the FBI about a newly emerging trend of dual ransomware attacks that target the same victims and happen in close proximity to each other. This trend has been going on since at least July 2023.

“During these attacks, cyber threat actors deployed two different ransomware variants against victim companies from the following variants: AvosLocker, Diamond, Hive, Karakurt, LockBit, Quantum, and Royal,” said in a published report.

Researchers observed that these ransomware attacks have an increased use of custom wiper tools, data theft, and malware to pressure the victims into paying the ransom. The deployment of dual ransomware variants has led to a convergence of data encryption, exfiltration, and financial losses arising from ransom payments. The agency further warned that subsequent ransomware attacks on systems that are already compromised could inflict significant harm on the victim organizations.

“Second ransomware attacks against an already compromised system could significantly harm victim entities.”

Unlike in the past when ransomware groups usually took at least 10 days to carry out such attacks, the latest data reveals that the vast majority of ransomware incidents targeting the same victim now occur within a narrow 48-hour window.

Dual ransomware attacks are not an entirely new thing, as these have been reported in May 2021. Last year, an automotive company was hit by a triple ransomware attack consisting of LockBit, BlackCat, and Hive. Later in early September, a 3AM ransomware attack targeted an unnamed victim followed by an attempt to deliver LockBit into the compromised network, which ended up unsuccessful.

There are many reasons for these shifts in tactics, like exploitation of zero-day vulnerabilities and the increasing use of initial access brokers. Organizations are highly advised to make their defenses against these cyberthreats stronger by using offline backups, enforcing multi-factor authentication, and monitoring systems.

“They recommends network defenders apply the following mitigations to limit potential adversarial use of common system and network discovery techniques and to reduce the risk of compromise by ransomware”, they also added.

Impact

• Financial Loss
• Sensitive Data Theft
• Data Encryption

Remediation

• Promptly update your passwords across all of your online accounts. Utilize a robust password generator to fortify the security of your accounts.
• Prompt all users to change their passwords, especially if their credentials were exposed. Encourage the use of strong, unique passwords.
• Implement 2FA or multi-factor authentication to add an additional layer of security for user accounts.
• Exercise caution with incoming spam emails, unsolicited text messages, and phishing attempts.
• Avoid interacting with any suspicious content, including emails and texts from unfamiliar senders.
• Regularly update and patch software and systems to address vulnerabilities that may have led to the breach.
• Review and strengthen access controls to restrict unauthorized access to sensitive data.
• Conduct regular security audits and vulnerability assessments to identify and address security weaknesses and potential threats.
• Maintain offline, encrypted, and immutable backups of the entire data infrastructure to ensure uninterrupted access and protection from infections.
• Assess the security of third-party vendors and monitor their connections for suspicious activity.
• Audit and restrict user accounts with administrative privileges, following the principle of least privilege.
• Implement network segmentation to restrict ransomware spread, controlling traffic between subnetworks and limiting adversary lateral movement.
• Utilize a network monitoring tool to identify, detect, and investigate abnormal activity and ransomware traversal, with a focus on lateral movement. Endpoint detection and response (EDR) tools can be particularly valuable for this purpose.
• Ensure all hosts have updated and real-time antivirus software for continuous threat detection.