The U.S. Federal Bureau of Investigation (FBI) has issued a warning about a concerning trend in the world of cybercrime: dual ransomware attacks. These attacks involve deploying two different ransomware variants against the same victims, aiming to intensify the impact and maximize financial gains for cybercriminals. Since July 2023, these dual ransomware attacks have been on the rise, posing a significant threat to various U.S. companies.
During the dual ransomware attacks, cyber threat actors employ a combination of different ransomware variants, such as AvosLocker, Diamond, Hive, Karakurt, LockBit, Quantum, and Royal. The specific combination of variants used varies from attack to attack. These ransomware attacks often occur in close proximity to each other, with the timeframe ranging from 48 hours to within 10 days.
What sets these attacks apart is the increased use of custom data theft, wiper tools, and malware to exert pressure on victims to pay the ransom. By combining data encryption, exfiltration, and financial loss from ransom payments, cybercriminals aim to inflict significant harm on victim entities.
While dual ransomware attacks have gained attention recently, they are not entirely new. As early as May 2021, instances of such attacks were observed. For example, in 2022, automotive suppliers fell victim to a triple ransomware attack comprising LockBit, Hive, and BlackCat over a two-week period.
The shift towards dual ransomware attacks can be attributed to factors such as the exploitation of zero-day vulnerabilities and the increasing presence of initial access brokers and affiliates in the ransomware landscape. These factors facilitate the reselling of access to victim systems, enabling the deployment of various ransomware strains in quick succession.
The rise of dual ransomware attacks underscores the urgent need for organizations to bolster their cybersecurity defenses. To protect against this evolving threat, several preventive measures should be implemented:
Phishing-Resistant Multi-Factor Authentication: Enforce the use of multi-factor authentication (MFA) that is resistant to phishing attacks. This adds an extra layer of security to prevent unauthorized access to systems and sensitive data.
User Account Auditing: Regularly audit user accounts to identify and remove unnecessary privileges. Implement a principle of least privilege (PoLP) to restrict access to only what is essential for each user.
Network Segmentation: Segment networks to limit the lateral movement of ransomware within the infrastructure. This prevents the rapid spread of the attack and minimizes the potential impact.
Implementing these preventive measures, organizations can enhance their resilience against dual ransomware attacks and minimize the risk of falling victim to these malicious campaigns. Maintaining robust cybersecurity practices and staying vigilant against evolving threats are crucial to safeguarding sensitive data and ensuring business continuity.