In late September, the FBI despatched a personal trade notification warning organizations a couple of disturbing new twin ransomware assault pattern: victims being hit by two or extra ransomware strains in a single assault.
That is ominous for not less than three causes. First, the FBI describes this as a pattern—that’s, one thing that’s greater than an remoted prevalence—which suggests the tactic may be spreading extra extensively.
Second, if the FBI is saying this in late September 2023, that most likely means it’s been a difficulty for a while which suggests the pattern is now properly entrenched.
Third, and most urgent of all, defending a corporation in opposition to one ransomware pressure is already exhausting sufficient. Defending in opposition to two and even three at virtually the identical time (or on the identical time) appears like a security operations middle’s worst nightmare.
Based on the FBI, the tactic has been detected involving completely different combos of the next well-known variants: AvosLocker, Diamond, Hive, Karakurt, LockBit, Quantum, and Royal.
Twin Ransomware Attacks Are Worse Than One
As soon as ransomware has been detected, the problem is to uncover the complete extent of its unfold. Having to do this for 2 ransomware households probably doubles this workload as a result of every makes use of distinct malware that spreads, encrypts, and exfiltrates knowledge in numerous methods.
That is what the attackers are relying on—tying the defenders in knots, consuming time, and usually complicated everybody. Defenders set to work cleansing and restoring methods solely to find that one other ransomware has been working in opposition to this effort within the background.
This MO seems to be completely different from earlier twin ransomware assaults in 2021 and 2022 the place victims reported being contaminated with multiple ransomware variant.
We lined one in every of these twin ransomware assaults from 2021 when a corporation was focused first by Karma after which Conti only some hours later. In a separate incident made public in 2022, an automotive firm was on the receiving finish of three ransomware assaults in fast succession.
Nevertheless, the distinction in comparison with the newest FBI warning is that these assaults concerned completely different teams competing with each other and have been most likely coincidental. The brand new assaults, in contrast, usually tend to be a number of ransomware variants being managed by a single ransomware actor inside a short while body.
Because the FBI defines this time-frame:
“Ransomware assaults in opposition to the identical sufferer occurring inside 10 days, or much less, of one another have been thought of twin ransomware assaults. The vast majority of twin ransomware assaults occurred inside 48 hours of one another.”
Ransomware Harm
A second pattern the FBI warns of is the growing destructiveness of ransomware. In a single model of this, menace actors plant malware that wipes or damages knowledge at pre-set intervals as a approach of accelerating the stress on defenders to pay the ransom. This weblog lined this kind of assault in 2022 when the Onyx/Chaos ransomware was noticed utilizing the tactic.
In actuality, neither multi-ransomware nor its occasional destructiveness are that new. What appears to have modified is the power of attackers to make the most of refined Ransomware-as-a-Service platforms to layer completely different methods in a single incident. Ransomware is just like the Hydra of Greek delusion—chop off one head and the organism rapidly grows two much more harmful ones as a replacement.
