The FBI has issued a warning about a concerning new trend in ransomware attacks. According to the agency, attackers are now deploying multiple strains of ransomware on victims’ networks, encrypting systems in less than two days.
The FBI’s alert, in the form of a Private Industry Notification, was prompted by observed trends starting in July 2023. It explains that ransomware affiliates and operators have been using two distinct variants when targeting organizations. Among the variants used in these dual ransomware attacks are AvosLocker, Diamond, Hive, Karakurt, LockBit, Quantum, and Royal.
This use of dual ransomware variants has resulted in a combination of data encryption, exfiltration, and financial losses from ransom payments, warns the FBI. The agency also cautions that second ransomware attacks against already compromised systems could inflict significant harm on victim entities.
In a departure from the past, when ransomware groups typically required a minimum of 10 days to execute such attacks, the vast majority of ransomware incidents targeting the same victim now occur within a mere 48-hour timeframe, according to FBI data.
Bill Siegel, the CEO and Co-Founder of Coveware, confirms that double-encryption has been a practice for years. Some threat actor groups intentionally use two different variants on every attack. In some cases, the initial access broker sells access to the network to two different ransomware affiliates, each using different brands of ransomware. This leads to both affiliates being active in the network, impacting machines in close time proximity to each other.
The FBI further reveals that since early 2022, multiple ransomware gangs have been adding new code to their custom data theft tools, wipers, and malware to evade detection. In some instances, malware containing data-wiping functionality remains dormant on compromised systems until a predetermined time when it executes and destroys data on the targets’ networks at periodic intervals.
The severity of these attacks is demonstrated by a real-life incident involving an automotive supplier. The company was breached three times within two months by LockBit, Hive, and ALPHV/BlackCat affiliates. The incident responders made a discovery that several of the victim’s files had been encrypted multiple times, with encryption layers reaching up to five levels deep.
To mitigate the risk of ransomware attacks, the FBI advises organizations to maintain close connections with FBI Field Offices in their region. This allows the FBI to assist in identifying vulnerabilities and mitigating potential threat-related activities.
Network defenders are urged to apply mitigation measures outlined in the FBI’s Private Industry Notification. These measures include limiting attackers’ use of common system and network discovery techniques and keeping all systems up-to-date. Conducting thorough scans of infrastructures to identify potential backdoors or vulnerabilities introduced by attackers is also crucial.
Securing remote access solutions and implementing strong passwords and multi-factor authentication is recommended. Network segmentation, where critical servers are isolated within VLANs, can enhance security. Additionally, comprehensive scans and audits across the entire network help identify devices vulnerable to exploitation due to a lack of necessary patches.
CyberSec84 | Cybersecurity news. 
Leave a comment