In late September, the FBI sent a private industry notification warning organizations about a disturbing new dual ransomware attack trend: victims being hit by two or more ransomware strains in a single attack.
This is ominous for at least three reasons. First, the FBI describes this as a trend—that is, something that’s more than an isolated occurrence—which implies the tactic might be spreading more widely.
Second, if the FBI is saying this in late September 2023, that probably means it’s been an issue for some time which suggests the trend is now well entrenched.
Third, and most pressing of all, defending an organization against one ransomware strain is already hard enough. Defending against two or even three at almost the same time (or at the same time) sounds like a security operations center’s worst nightmare.
According to the FBI, the tactic has been detected involving different combinations of the following well-known variants: AvosLocker, Diamond, Hive, Karakurt, LockBit, Quantum, and Royal.
Dual Ransomware Attacks Are Worse Than One
Once ransomware has been detected, the challenge is to uncover the full extent of its spread. Having to do that for two ransomware families potentially doubles this workload because each uses distinct malware that spreads, encrypts, and exfiltrates data in different ways.
This is what the attackers are counting on—tying the defenders in knots, consuming time, and generally confusing everyone. Defenders set to work cleaning and restoring systems only to discover that another ransomware has been working against this effort in the background.
This MO appears to be different from previous dual ransomware attacks in 2021 and 2022 where victims reported being infected with more than one ransomware variant.
We covered one of these dual ransomware attacks from 2021 when an organization was targeted first by Karma and then Conti only a few hours later. In a separate incident made public in 2022, an automotive company was on the receiving end of three ransomware attacks in quick succession.
However, the difference compared to the latest FBI warning is that those attacks involved different groups competing with one another and were probably coincidental. The new attacks, by contrast, are more likely to be multiple ransomware variants being controlled by a single ransomware actor within a short time frame.
As the FBI defines this time frame:
“Ransomware attacks against the same victim occurring within 10 days, or less, of each other were considered dual ransomware attacks. The majority of dual ransomware attacks occurred within 48 hours of each other.”
A second trend the FBI warns of is the increasing destructiveness of ransomware. In one version of this, threat actors plant malware that wipes or damages data at pre-set intervals as a way of increasing the pressure on defenders to pay the ransom. This blog covered this type of attack in 2022 when the Onyx/Chaos ransomware was spotted using the tactic.
In reality, neither multi-ransomware nor its occasional destructiveness are that new. What seems to have changed is the ability of attackers to utilize sophisticated Ransomware-as-a-Service platforms to layer different techniques in a single incident. Ransomware is like the Hydra of Greek myth—chop off one head and the organism quickly grows two even more dangerous ones in its place.