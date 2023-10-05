A popular ice cream commercial from the 1990s said “two is better than one,” and that seems to be the approach ransomware groups have chosen in recent months.

Il Federal Bureau of Investigation (FBI) of the United States issued an alert relating to double ransomware attacks (double ransomware attacks), a worrying trend in the threat landscape faced by criminal groups target victims multiple times with different ransomware families.

“As of July 2023, the FBI has noticed two emerging trends in the ransomware environment and is releasing this notification to raise awareness in the industry. These new trends include multiple ransomware attacks on the same victim in close time and new data destruction tactics in ransomware attacks”, we read in the note “Private Industry Notification“issued by the FBI.” The FBI has noted a trend of dual ransomware attacks conducted in close proximity to each other.”

In summary, several criminal groups in the last two weeks have affected numerous victims by spreading two more families of ransomware in their networks in a short time interval.

Why use two different ransomware families to target the same victim?

The main reason is increase your chances of getting a ransom. Having the victim fail to recover the encrypted data in any way will inevitably put more pressure on them and may be more likely to pay a ransom for the second ransomware.

Using two different ransomware makes it less likely that the victim will be able to decrypt the files without paying the ransom.

Finally, it cannot be ruled out that some group might attempt a coup by trying to get multiple ransoms paid by the same victim presenting themselves as two distinct ransomware groups.

In any case, dealing with double infection ransomware attacks is often more complex, the concomitance of the two malicious codes on the same machine can slow down the investigation and recovery operations of the affected machines.

According to the alert released by the FBI, several attacks have been recorded since July in which two different variants of ransomware were observed in the victims’ networks. Government experts noted that well-known ransomware families such as AvosLocker, Diamond, Hive, Karakurt, LockBit, Quantum and Royal were used in attacks in this manner.

According to the note, the ransomware attacks caused a combination of data encryption processes on the affected machines as well as the theft of files on them.

“Double ransomware attacks against an already compromised system could significantly harm victims,” the alert continues.

Experts also warn of criminal groups’ use of malicious code known as wipers which are developed to erase or render data on a device unreadable making data recovery impossible.

In some attacks observed in 2022, wipers were used that remained inactive for a preset time to avoid detection and ran intermittently to corrupt data while avoiding detection.

Importantly, dual ransomware attacks they are not a new phenomenonin many cases in the past victims’ systems have been infected by multiple families of ransomware.

The FBI statement provides recommendations on how to defend networks from these attacks and respond to cyber incidents, optimizing identity and access management, implementing controls and designing protection architectures, and improving vulnerability and system configuration management.

Here are some measures organizations can take to reduce the risk of being hit by a ransomware attack are:

Keep systems and software updated. Use security software. Security software can help detect and block ransomware. Make regular backups of your data.

While there are numerous warnings from security companies and government agencies, ransomware attacks continue to threaten our businesses.

Sophos report

According to “The State of Ransomware 2023” report published by security firm Sophos, in 30% of cases in which the data was encrypted, data theft also occurreddemonstrating the effectiveness of the dual-factor extortion model.

Disarming is the fact that the 46% of companies interviewed and affected by a ransomware attack paid the ransom and it was precisely the largest organizations, the ones that should be most protected. they were the ones most willing to pay.

Investing in new generation technological solutions, but above all in adequate investment programs, could help companies address this worrying trend.

