Enterprises are facing an increasing threat from dual ransomware attacks, according to a recent private industry notification from the FBI. These attacks involve threat actors deploying two different types of ransomware within a short time frame, often within 10 days or less. The FBI observed numerous groups using this tactic, deploying ransomware variants such as AvosLocker, Diamond, Hive, Karakurt, LockBit, Quantum, and Royal against victim organizations.
The use of dual ransomware variants in these attacks can result in data encryption, exfiltration, and financial losses for the victims. The FBI warned that second ransomware attacks against an already compromised system could significantly harm victims. To protect against these attacks, the FBI recommended that enterprises maintain encrypted backups and implement phishing-resistant multifactor authentication.
Infosec experts have noted an increase in dual ransomware attacks, with several ransomware groups claiming responsibility for the same victim organization on dark web data leak sites. One example occurred in March, when both the LockBit and Daixin Team ransomware groups targeted fraud prevention platform Guardian Analytics Inc. The reason for the rise in dual attacks is unclear, but it may be related to the overall increase in ransomware activity.
According to NCC Group’s September Threat Pulse report, ransomware attacks have seen a 153% increase from September 2022 to September 2023. This rise in attacks is likely to continue year over year. The report also highlighted the emerging trend of dual ransomware attacks. NCC Group analysts observed the 3am ransomware group taking advantage of an affiliate’s failed attempt to deploy LockBit’s ransomware on a targeted network. This approach indicates the independence of affiliates from operators and may pave the way for a new trend in ransomware attacks.
While experts have noticed the occurrence of dual ransomware attacks, they are uncertain if this will become a widespread trend. Ian Usher, deputy global head of threat intelligence at NCC Group, stated that multiple threat actors within a victim environment are not uncommon. The activity of initial access brokers, who sell credentials to affiliate groups of ransomware operators, contributes to the likelihood of multiple threat actors deploying ransomware. Alexander Leslie, a threat intelligence analyst at Recorded Future, suggested that ransomware affiliates may work for multiple independent ransomware groups simultaneously, explaining the phenomenon of dual attacks.
However, some experts caution against attributing attacks to specific ransomware groups, emphasizing that they are criminal organizations utilizing ransomware binaries. Ryan Kovar, a distinguished security strategist at Splunk, suggested moving away from the term “ransomware group” and focusing on the extortion aspect of these attacks.
In addition to the increase in dual ransomware attacks, negotiators and payments related to ransomware have also seen a surge. The FBI observed a rise in data extortion and the use of custom data theft, wiper tools, and malware to pressure victims to negotiate. Ransomware payments have increased, with ransomware operators extorting at least $449.1 million in the first half of 2023, compared to $273.3 million in the same period in 2022. A recent report from Splunk revealed that 83% of surveyed participants admitted to giving in to ransom demands.
The success of negotiators is another trend that experts have noticed in the ransomware landscape. Ransomware groups have been discussing victims’ lack of payment and some affiliates have accepted lower ransom amounts. To address this issue, the LockBit ransomware group announced that their affiliates would be allowed to demand a ransom set at only 3% of the target company’s annual revenue.
Overall, the increase in dual ransomware attacks and the success of negotiators highlight the ongoing challenges faced by enterprises in defending against ransomware. As these attacks continue to evolve, it is crucial for organizations to maintain secure backups and implement strong authentication measures to protect their data and systems.