Dual Ransomware Attacks Typically Strike Within 48 Hours
Dual Ransomware Attacks Typically Strike Within 48 Hours

Image: Alexander Mils (unsplash)

As of July 2023, the Federal Bureau of Investigation (FBI) has identified an emerging trend: consecutive ransomware attacks on the same target, often happening within a short duration of each other.

The Nature of Dual Ransomware Attacks Such dual ransomware attacks refer to incidents where a victim faces two separate attacks within a span of 10 days or less. The FBI highlighted that a significant number of these dual attacks transpired within a mere 48-hour period.

The FBI’s Private Industry Notification disclosed that during these incidents, cyber adversaries utilized two distinct ransomware strains to target victim organizations. These strains included AvosLocker, Diamond, Hive, Karakurt, LockBit, Quantum, and Royal, and they were launched in varying combinations.

The simultaneous deployment of two ransomware variants led to a combination of encrypted data, data exfiltration, and financial setbacks due to ransom payments. Furthermore, a second attack on an already vulnerable system could exacerbate the detrimental impacts on the affected entities.

The use of multiple ransomware types isn’t entirely novel. Back in 2021, Emsisoft researchers detailed an instance of a “double encryption” attack, the aim of which was to complicate file recovery processes.

Moreover, Sophos experts recently discussed a unique triple ransomware assault on an automotive supplier. During this incident, perpetrators exploited a consistent configuration oversight. In another incident, culprits employed the 3AM ransomware as a backup plan should the primary strain, LockBit, be detected and blocked by security mechanisms.

Guidance for Organizations To fortify defenses against potential ransomware attacks, organizations are advised to ensure the following:

  • Preserve encrypted, unchangeable, and disconnected backups of vital data.
  • Routinely verify the restore capability of backup data.
  • Assess the security measures of associated third-party vendors.
  • Permit system operations for only recognized and approved programs.
  • Monitor sanctioned solutions for distant management and upkeep.
  • Establish a comprehensive recovery strategy.

In addition, the FBI recommends that businesses employ identity and access management strategies. This includes implementing strong and unique passwords for all accounts, utilizing phishing-resistant multi-factor authentication, conducting regular audits of user accounts, and enabling time-restricted access for higher-level accounts.

Conclusively, it is imperative for organizations to partition their networks, remain vigilant for unusual activities, update antivirus tools consistently, safeguard and oversee remote desktop protocols, consistently refresh systems, software, and firmware, and deactivate redundant ports, protocols, and scripting operations and permissions.