Most dual ransomware attacks occur within 48 hours
Since July 2023, the Federal Bureau of Investigation (FBI) has noticed a new trend: dual ransomware attacks on the same victim, occurring in close proximity of one another.
Dual ransomware attacks
Dual ransomware attacks are when attacks against the same victim occur within 10 days (or less) of each other. According to the FBI, most of these occurred within 48 hours of each other.
“During these attacks, cyber threat actors deployed two different ransomware variants against victim companies from the following variants: AvosLocker, Diamond, Hive, Karakurt, LockBit, Quantum, and Royal. Variants were deployed in various combinations,” the FBI’s Private Industry Notification revealed.
“This use of dual ransomware variants resulted in a combination of data encryption, exfiltration, and financial losses from ransom payments. Second ransomware attacks against an already compromised system could significantly harm victim entities.”
Ransomware attacks involving multiple ransomware strains are now a wholly new occurrence. In 2021, Emsisoft researchers documented a “double encryption” attack aimed at making file recovery far more complex.
Sophos researchers recently shared details about a triple ransomware attack against an automotive supplier, in which attackers took advantage of the same misconfiguration.
More recently, attackers used 3AM ransomware as a fallback in case LockBit – the primary ransomware – gets flagged and blocked by security solutions.
Recommendations for organizations
To prepare for any and all types of ransomware attacks, organizations should maintain encrypted, immutable, and offline backups of data; regularly check whether the backup data can be restored; evaluate the security posture of third-party vendors; allow systems to execute only known and permitted programs; keep track of approved solutions for remote management and maintenance; and make sure to have a recovery plan.
The FBI also advises organizations to implement identity and access management mitigations (strong and unique passwords on all accounts, phishing-resistant MFA, regularly audit user accounts, apply time-based access for admin-level and higher accounts).
Finally, organizations should segmentat networks, be on the lookout for and investigate abnormal activity, regularly update antivirus software, keep remote desktop protocol secured and monitored, as well as regularly update systems, software, and firmware, disable unused ports, protocols, and command-line and scripting activities and permissions, etc.