It’s October, otherwise known as Cybersecurity Awareness Month, which perhaps is why the FBI released a private industry notification last week (September 27, 2023) warning organizations of a new kind of ransomware attack.
The notice highlights an emerging trend by bad actors in which multiple variants of ransomware are used on the same victim and conducted within close proximity to one another—the majority of which occurred within 48 hours of each other—and enabled new data destruction tactics.
First observed in July 2023, the FBI noted that during these attacks, cyber threat actors deployed two different ransomware variants in various combinations against victim companies from the following variants: AvosLocker, Diamond, Hive, Karakurt, LockBit, Quantum, and Royal. “This use of dual ransomware variants resulted in a combination of data encryption, exfiltration, and financial losses from ransom payments. Second ransomware attacks against an already compromised system could significantly harm victim entities,” the agency said.
In addition, it could be difficult to detect. According to the FBI: “In early 2022, multiple ransomware groups increased use of custom data theft, wiper tools, and malware to pressure victims to negotiate. In some cases, new code was added to known data theft tools to prevent detection. In other cases in 2022, malware containing data wipers remained dormant until a set time, then executed to corrupt data in alternating intervals.”
Risk mitigation
The FBI recommends steps organizations can take to improve their organization’s security posture in response to these new activity trends, including: maintaining offline backups of data, ensuring data is encrypted and immutable (can’t be altered or deleted), review the security posture of third-party vendors, implement policies for applications and remote access that allow systems to execute known and permitted programs, document and monitor external remote connections, and implement a recovery plan.
They also outline best practices for identity and access management, how to protect controls and network architecture, and vulnerability and configuration management. The full list of recommendations can be found in the private industry notification.
The FBI also recommends organizations establish and maintain strong liaison relationships with the FBI Field Office in their region. The location and contact information for FBI Field Offices can be located at www.fbi.gov/contact-us/field-offices. Through these partnerships, the FBI can assist with identifying vulnerabilities and mitigating potential threat activity.
