FBI warns of multiple ransomware attacks on same victim

The Federal Bureau of Investigation (FBI) has released a notification that highlights two trends emerging across the ransomware environment.

The trends the FBI says it’s noticed since July 2023 are:

  • Multiple ransomware attacks on the same victim in close date proximity.
  • New data destruction tactics in ransomware attacks.

With multiple, or dual ransomware attacks, the FBI says cybercriminals deployed two different ransomware variants against victim companies, using the following variants: AvosLocker, Diamond, Hive, Karakurt, LockBit, Quantum, and Royal. These variants were deployed in various combinations.

This use of dual ransomware variants resulted in a combination of data encryption, exfiltration, and financial losses from ransom payments. Although some of the same principles apply, these tactics are even worse than experiencing a ransomware reinfection. Second ransomware attacks against an already compromised system could cause significant harm: Besides making it harder to remediate and causing extra delays in getting everything back up and running, it also frustrates and discourages those working on the affected systems.

According to the FBI’s data, the majority of ransomware incidents targeting the same victim take place within a 48-hour timeframe. The FBI report doesn’t say anything about the possible reasons why this is happening, but there are a few we could think off.

  • Rivalry between ransomware gangs
  • Initial Access Brokers selling to multiple ransomware operators
  • Extra pressure on the victim to pay the ransom

The second trend, according to the FBI, is that multiple ransomware groups have increased the use of custom data theft, wiper tools, and malware to pressure victims to negotiate. In some cases, new code was added to known data theft tools to prevent detection. In other cases in 2022, malware containing data wipers remained dormant until a set time, then executed to corrupt data in alternating intervals.

We can safely say that these are indeed tactics that may drive a victim to the negotiation table. Having a ticking time-bomb next to your network that may wipe critical data at a certain time will leave you looking frantically for the trigger and other ways to escape the ordeal.

The FBI wants victims to notify it of an attack. If your organization has experienced a ransomware event, you should provide law enforcement agencies with the most complete reporting possible. A complaint can be filed to the Internet Crime Complaint Center (IC3) here.

Organizations can also contact their local FBI field office, which will ask for the following information:

  • The date of ransomware attack.
  • How the infection occurred.
  • Ransom amount demanded.
  • Ransom amount paid, if any.
  • The ransomware variant.
  • Information about your company, such as industry, size, etc.
  • Victim impact statement.
  • Losses due to the ransomware attack.

How to avoid ransomware

  • Block common forms of entry. Create a plan for patching vulnerabilities in internet-facing systems quickly; and disable or harden remote access like RDP and VPNs.
  • Prevent intrusions. Stop threats early before they can even infiltrate or infect your endpoints. Use endpoint security software that can prevent exploits and malware used to deliver ransomware.
  • Detect intrusions. Make it harder for intruders to operate inside your organization by segmenting networks and assigning access rights prudently. Use EDR or MDR to detect unusual activity before an attack occurs.
  • Stop malicious encryption. Deploy Endpoint Detection and Response software like Malwarebytes EDR that uses multiple different detection techniques to identify ransomware, and ransomware rollback to restore damaged system files.
  • Create offsite, offline backups. Keep backups offsite and offline, beyond the reach of attackers. Test them regularly to make sure you can restore essential business functions swiftly.
  • Don’t get attacked twice. Once you’ve isolated the outbreak and stopped the first attack, you must remove every trace of the attackers, their malware, their tools, and their methods of entry, to avoid being attacked again.

Malwarebytes EDR and MDR removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.