FBI Sounds Alarm About Dual Ransomware Attacks and Data Wiping Tactics
The tactics, techniques, and procedures (TTPs) used by ransomware gangs often evolve, and with increasing numbers of victims refusing to pay ransoms, ransomware groups have started adopting more aggressive tactics.
Two concerning new ransomware trends have been identified by the Federal Bureau of Investigation (FBI) – Ransomware groups are conducting dual attacks on victims using multiple ransomware variants and have been observed employing data destruction tactics using custom wiper tools when victims refuse to engage and discuss ransom payments.
The FBI has previously warned that paying the ransom following a ransomware attack provides no guarantee that files can be recovered and victims that pay may be subject to further extortion demands. The latest warning concerns dual ransomware attacks, where two attacks are conducted using different ransomware variants in close proximity against the same target.
This tactic was first observed by the FBI in July 2023 with the attacks involving various combinations of ransomware variants from the AvosLocker, Diamond, Hive, Karakurt, LockBit, Quantum, and Royal ransomware families being deployed on the same victim within 48 hours. These attacks have involved a combination of data encryption, file exfiltration, and financial losses from ransom payments, with the second ransomware attack on an already compromised system having the potential to cause significant harm to victims.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
Some threat actors are known to use two ransomware variants in the same attack and there have been cases where initial access brokers have sold access to two or more different ransomware operations, resulting in attacks occurring within hours of each other. When more than one ransomware variant is used, payment is required to each group to decrypt and recover stolen data.
The FBI also warns that ransomware groups are increasingly using custom data theft, wiper, and malware tools in their attacks. This trend was first observed by the FBI in early 2022 and has seen malware deployed that includes wiper tools that remain dormant on a compromised system for a set period of time, after which they execute and corrupt data in alternating intervals.
The FBI has shared several recommended mitigations in its recent Private Industry Notification to help network defenders limit the adversarial use of common system and network discovery techniques and reduce the risk of compromise by ransomware groups. The FBI also recommends organizations establish and maintain strong liaison relationships with their local FBI Field Office. The FBI can assist with identifying vulnerabilities and can help with the mitigation of potential threat activity.
