The dangers of dual ransomware attacks

At some point in the movie “Groundhog Day,” Phil Connors breaks his bedside radio when he is woken up (yet again) by the song “I Got You Babe”. This déjà vu seems to await companies that fall victim to ransomware and fail to orchestrate the proper response.

The FBI has recently warned about dual ransomware attacks, a new trend that involves criminals carrying out two or more attacks in close proximity to each other. The time between attacks ranges from 48 hours to a maximum of ten days.

The attackers are using two different ransomware variants against their targets. The most well-known include AvosLocker, Diamond, Hive, Karakurt, LockBit, Quantum, and Royal.

The FBI also warned about an uptick in ransomware groups deploying custom data theft and wiper tools to pressure victims to negotiate.

Two ransomware attacks in such a short period drive up damage and associated costs and can drive companies to the brink of their existence. The recent first hack against MGM caused $100 million in damage. A follow-up attack would likely have had even greater consequences.

What do CIOs and CISOs need to do differently to break out of the endless cycle of attack and re-attack?

Find the ghosts in the shell

During a cyber-attack, IT team members work under high pressure and extreme stress to pull their organization out of the mess. Important systems should be up and running again quickly, and customers and partners should be properly informed. Every hour counts because downtime equates to money loss.

In this extreme situation, a fatal error occurs: the IT teams often revert to their recovery workflows built for traditional disaster recovery scenarios like floods, fire, or power loss. Systems are reconstructed from existing backups so that they can be up and running again quickly, often using the freshest copies possible, as this minimizes the possible loss of data.

In a traditional disaster recovery scenario, root causes are known and causes mitigated, but in a cyber-attack scenario, without the proper response actions to investigate and mitigate what you find, systems are restored along with all the malicious accounts, compromised passwords, persistence mechanisms, and other malicious artifacts, while protective controls with missing rules or that were bypassed remain ineffective to stop a recurrence. Vulnerabilities that were exploited remain undiscovered and unpatched.

In other words, the house will be rebuilt with all the open windows and back doors that the attackers walked in through the first time. In fact, the adversary might already be back in the hallway! The foundation for the endless loop has been laid. In times of ransomware, it is essential to rethink system recovery as a process and modernize it completely.

The cleanroom as a shared laboratory

Infrastructure and security teams must work together to not only recover systems, but also understand the nature of the attack and mitigate the chances of it reoccurring. This costs time, but it prevents further costly impacts.

The ideal place for this cooperation is the so-called cleanroom. In this isolated environment, all teams involved can work in parallel with copies of production data. Using data management solutions, snapshot versions of systems are available along the various stages of the incident timeline. Modern data security and management platforms can deliver these snapshots into the isolated environment, hardened against external attacks thanks to vaulting, immutable storage, multi-factor authentication and encryption.

The data management system orchestrates the rapid standing up of the communications, collaboration, authentication, and digital forensics and incident response tooling needed to run the cleanroom, ensuring even if these systems have been impacted by the event response actions can start within minutes of the event.

Inside this cleanroom, digital forensics can re-instantiate systems at different points in the attack lifecycle in a matter of minutes, to examine filesystems, configurations and files. Security tooling that had been evaded or lacked the relevant rules can be redeployed onto the systems. Vulnerabilities at the exact point of the attack can be discovered, even if they occurred in between the regular vulnerability scanning cadence.

Often persistence mechanisms exist on systems that have not been encrypted, so hunt teams should look for indicators of compromise across the entire estate, leveraging the fast indexing and search capabilities of data management without even having to inflate systems.

Preventing a follow-up attack

These response actions push out the achievable recovery time objective, but the vulnerabilities found must be patched, the malicious accounts removed, the protective and detective controls bolstered to prevent or detect a recurrence, and all malicious artefacts must be removed prior to redeployment back into production. IT teams will naturally want to prioritize restoring systems that run the most important services and store the most valuable data.

Both the CIO and the CISO in the company should coordinate with each other and readjust the recovery time and possible operational costs, because the entire recovery process will take longer than previously estimated. The advantages of this approach should be obvious: the risk of a follow-up attack decreases, and the cyber resilience of the entire environment increases.