The FBI has issued a warning about a rising ransomware trend in which separate attacks are conducted just hours or days apart — otherwise known as “dual ransomware attacks.”
“Ransomware attacks against the same victim occurring within 10 days, or less, of each other were considered dual ransomware attacks,” the bureau explained in a Private Industry Notification released last week. “The majority of dual ransomware attacks occurred within 48 hours of each other.”
These ransomware attacks happen to the same victim within a short time span and, in the wild, have occurred with threat actors deploying different ransomware variants for each leg of the attacks, such as AvosLocker, Diamond, Hive Karakurt, LockBit, Quantum, and Royal. These variants are released in different dual combinations, ultimately resulting in a mix of data encryption, exfiltration, and extortion.
The phenomenon makes sense: After an initial ransomware attack, an organization or company is still reeling from the breach and is at its weakest point, making a second attack to its already compromised system all the more harmful.
In addition to dual ransomware attacks, the FBI noted a rising trend of threat actors increasingly using malware, data theft, and wiper tools to manipulate and pressure ransomware victims into negotiating. To combat both of these trends, the FBI encourages anyone to report suspicious activity with details of the time and place as well as affected equipment and the type of activity that occurred.
To help safeguard against these kinds of threats, the FBI has provided recommendations for mitigations, which include maintaining offline backups of data, ensuring all the backed-up data is encrypted, reviewing the security safeguard of third parties and vendors, and implementing policies “that only allow systems to execute known and permitted programs.” In addition, the FBI recommends implementing a secure recovery plan and retaining multiple copies of sensitive information.