The U.S. Federal Bureau of Investigation (FBI) is warning of a new trend of dual ransomware attacks targeting the same victims, at least since July 2023.
“During these attacks, cyber threat actors deployed two different ransomware variants against victim companies from the following variants: AvosLocker, Diamond, Hive, Karakurt, LockBit, Quantum, and Royal,” the FBI said in an alert. “Variants were deployed in various combinations.”
Not much is known about the scale of such attacks, although it’s believed that they happen in close proximity to one another, ranging from anywhere between 48 hours to within 10 days.
Another notable change observed in ransomware attacks is the increased use of custom data theft, wiper tools, and malware to exert pressure on victims to pay up.
“This use of dual ransomware variants resulted in a combination of data encryption, exfiltration, and financial losses from ransom payments,” the agency said. “Second ransomware attacks against an already compromised system could significantly harm victim entities.”
It’s worth noting that dual ransomware attacks are not an entirely novel phenomenon, with instances observed as early as May 2021.
Last year, Sophos revealed that an unnamed automotive supplier had been hit by a triple ransomware attack comprising Lockbit, Hive, and BlackCat over a span of two weeks between April and May 2022.
Then, earlier this month, Symantec detailed a 3AM ransomware attack targeting an unnamed victim following an unsuccessful attempt to deliver LockBit in the target network.
The shift in tactics boils down to several contributing factors, including the exploitation of zero-day vulnerabilities and the proliferation of initial access brokers and affiliates in the ransomware landscape, who can resell access to victim systems and deploy various strains in quick succession.
Organizations are advised to strengthen their defenses by maintaining offline backups, monitoring external remote connections and remote desktop protocol (RDP) use, enforcing phishing-resistant multi-factor authentication, auditing user accounts, and segmenting networks to prevent the spread of ransomware.