Threat Groups Accelerating the Use of Dual Ransomware Attacks – Source: securityboulevard.com

Ransomware groups are shrinking the time between attacks on the same victim, sometimes targeting the same company twice within 48 hours using different malware variants, according to the FBI.

In a notice late last month, the agency noted that since June, bad actors have been seen accelerating their efforts in dual ransomware attacks, with the use of variants resulting in “a combination of data encryption, exfiltration, and financial losses from ransom payments. Second ransomware attacks against an already compromised system could significantly harm victim entities.”

The attackers are using a range of high-profile ransomware families, including AvosLocker, Diamond, Hive, Karakurt, LockBit, Quantum, and Royal, according to the FBI.

Ransomware groups have been known to target the same victims again, particularly if those companies paid the ransom the first time around. According to a report last year by cybersecurity company Cybereason, 80% of companies who paid a ransom to get their data back were attacked a second time, with 68% attacked a second time within a month and for a higher ransom.

The FBI also noted the use of other tools – like custom data-theft capabilities, file wiper features, and malware – by ransomware groups to further pressure victims to negotiate and to pay a ransom.

“In some cases, new code was added to known data theft tools to prevent detection,” the agency wrote. “In other cases in 2022, malware containing data wipers remained dormant until a set time, then executed to corrupt data in alternating intervals.”

The Dynamics of RaaS

Nick Hyatt, cyber practice leader at Optiv, pointed to an automotive supplier that last year was breached three times – by LockBit, Hive, and ALPHV – within three months, a case outlined by researchers with Sophos X-Ops. It shouldn’t be surprising given the rapid rise of ransomware-as-a-service in an increasingly crowded threat environment.

“The ransomware landscape is complex,” Hyatt told Security Boulevard. “It is saturated with RaaS operations and affiliates who are often observed working across multiple groups.”

Those groups often turn to initial access brokers (IABs) to gain access into the networks of victims and these IABs will sell access into victim to more than one threat actor, which can set up the target for more than one attack.

“This is compounded by the fact that organizations move slowly,” he said. “In the incident response industry, we are used to working in short sprints to deal with active incidents. The reality is that companies actually implementing these changes can take a comparatively long time. This is due to ensuring business continuity, bureaucratic red tape and, of course, staffing issues.”

Increasing the Pressure

There are multiple reasons for using multiple ransomware variants, said Timothy Morris, chief security advisor at Tanium, noting that the FBI report said the primary one is to pressure victims and accelerate negotiations for a payout.

Law enforcements agencies continue to advise organizations against paying the ransoms, Morris added. They argue that there is no guarantee that victims will be able to retrieve or decrypt their data even if they do pay the ransom. Also, as the Cybereason reported pointed out, those that pay the ransom are much more likely to be targeted again.

Also, the ransoms pay fund future attacks on other companies, law enforcement has said.

“There has been a shift with major law enforcement to not pay ransoms,” Morris said. “Therefore, criminals will turn up the heat to combat that. Also, recovery has been possible with some of the ransomware strains or there have been bugs. Using two encryption methods, or a wiper, will achieve a more ‘successful’ theft.”

Zane Bond, head of product at Keeper Security, agreed.

“Bad actors are incredibly driven and have a variety of tools in their arsenal they can use to fit the occasion,” Bond told Security Boulevard. “One of the hallmarks of a ransomware attack is that the cybercriminal will infect as many things as possible in order to ensure they receive a payout. Sometimes a single attack is enough to compel an organization to provide the payout they are looking for, but other times they need to use more of the tools in their arsenal to secure the likelihood of their compensation.”

In its notice, the FBI laid out a range of steps organizations should take to better protect themselves against ransomware and other attacks, from using offline data backups and encrypting that data, using strong passwords and implementing multi-factor authentication (MFA) technologies, and segmenting networks.