FBI warns of dual ransomware attacks

The U.S. Federal Bureau of Investigation (FBI) warns of dual ransomware attacks aimed at the same victims.

The U.S. Federal Bureau of Investigation (FBI) is warning of dual ransomware attacks, a new worrisome trend in the threat landscape that sees threat actors targeting the same victims two times.

“As of July 2023, the FBI noted two trends emerging across the ransomware environment and is releasing this notification for industry awareness. These new trends included multiple ransomware attacks on the same victim in close date proximity and new data destruction tactics in ransomware attacks.” reads the Private Industry Notification published by the FBI.” The FBI noted a trend of dual ransomware attacks conducted in close proximity to one another.”

According to the FBI, threat actors deployed two different ransomware variants in the victims’ networks. The government experts observed the threat actors using the following ransomware families: AvosLocker, Diamond, Hive, Karakurt, LockBit, Quantum, and Royal. Dual ransomware attacks resulted in a combination of data encryption, exfiltration, and financial losses from ransom payments.

“Second ransomware attacks against an already compromised system could significantly harm victim entities.” continues the alert.

The experts also warn that multiple ransomware groups increased the use of custom data theft, wiper tools, and malware to put pressure on the victims and convince them to negotiate. In some cases, ransomware group added their own code to known data theft tools to prevent detection. In other cases in 2022, data wipers remained dormant until a set time to avoid detection and used an intermittent execution to corrupt data.

It is important to remark that dual ransomware attacks are not a new phenomenon, in many cases in the past victims’ systems were infected with multiple strains of ransomware.

Symantec’s Threat Hunter Team recently discovered a new ransomware family, which calls itself 3AM, that to date has only been deployed in a single incident in which the threat actors failed to deploy the LockBit ransomware.

The FBI’s PIN provides recommendations to network defenders for being prepared to respond to cyber incidents, optimizing identity and access management, implementing protective controls and architecture, and enhancing vulnerability and configuration management.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, dual ransomware attacks)

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.