FBI Warns of New Dual Ransomware Trend Accelerating Attack Speed

In a recent Private Industry Notification, the FBI raised the alarm over an emerging ransomware technique that sees cybercriminals deploying multiple malware strains on victim networks.

This advancement allows them to encrypt entire systems in as little as two days, a notable escalation from the traditional 10 days observed in previous methods.

Dual Malware Variants

The notification, based on observations since July, details that ransomware operators and affiliates have started using two separate malware variants in tandem to enhance the efficiency and potency of their attacks. The variants include Hive, Diamond, AvosLocker, Quantum, Royal, LockBit and Karakurt.

"This use of dual ransomware variants resulted in a combination of data encryption, exfiltration, and financial losses from ransom payments," reads the FBI's announcement. "Second ransomware attacks against an already compromised system could significantly harm victim entities."

The 48-Hour Re-attack Window

It's important to note that the swift timeline of these attacks means that victims could face a secondary assault within 48 hours of the initial breach, significantly shortening the previous week-long wait time.

Though the technique of using double ransomware isn't new, as highlighted by BleepingComputer, its renewed prevalence presents growing concerns.

There's an observed trend of threat actors not supplying decryption keys for both malware variants upon ransom payment, leaving victims vulnerable to subsequent extortions. Additionally, in some dire situations, the malware has been found to remain dormant on affected systems, periodically wiping data network-wide at preset intervals.

The report also mentions initial access brokers selling access to compromised networks to different ransomware affiliates. Each of these affiliates then uses its specific ransomware strain, doubling the impact on the victim's network.

Mitigation Recommendations

The FBI has also recommended crucial mitigations:

• Maintain offline data backups, with consistent backup and restoration processes to ensure data availability and uninterrupted operations.
• Encrypt backup data to cover the entire network infrastructure and ensure it's immutable.
• Limit access to unknown programs and permit only recognized programs to operate based on a defined security policy.
• Monitor all external remote connections diligently, proactively investigating any unapproved solutions found on workstations.