Last month, the FBI issued a private industry notification on trends and tactics it observed emerging across the ransomware threat landscape. Multiple groups exhibited new data destruction techniques such as deploying wiper tools and malware to pressure victims to negotiate a ransom demand. The FBI also warned of an increase in dual ransomware attacks that occur within "close proximity" of one another.
During the dual ransomware attacks, the FBI observed threat actors deploy two different ransomware variants, including AvosLocker, Diamond, Hive, Karakurt, LockBit, Quantum and Royal, in concurrence of one another, or shortly afterward against victim organizations. According to the FBI, dual attacks are ones that occur within 10 days or less, with the majority of such attacks occurring within a 48-hour window.
The LockBit ransomware group has maintained a consistent spot as a top active threat actor, while the Royal ransomware group has been known to target critical infrastructures such as the healthcare sector. The FBI alert noted variants were deployed in a variety of combinations.
"This use of dual ransomware variants resulted in a combination of data encryption, exfiltration and financial losses from ransom payments," the FBI wrote in the private industry notification. "Second ransomware attacks against an already compromised system could significantly harm victims."
In response, the FBI urged enterprises to maintain sufficient, encrypted backups and to require phishing-resistant multifactor authentication for all services.
Ransomware reaches historic highs
Infosec experts have observed multiple ransomware groups posting the same victim organization on dark web data leak sites, signaling dual ransomware attacks. An example occurred in March and involved one ransomware strain not mentioned in the FBI alert. Both the LockBit and Daixin Team ransomware groups claimed responsibility for an attack against fraud prevention platform Guardian Analytics Inc. It's unclear why dual attacks appear to be occurring and what factors are contributing to such incidents.
Dual ransomware attacks have emerged following a dip last year in ransomware activity, which has now resumed with a record-setting volume of attacks. NCC Group's September Threat Pulse report showed a 153% increase in the number of attacks from September 2022 to September 2023, and analysts said the rise is likely to continue year over year.
The report also highlighted one emerging trend potentially linked to dual ransomware attacks. NCC Group analysts observed the relatively new 3am ransomware group take advantage of an affiliate's failed attempt to deploy LockBit's ransomware on a targeted network.
"This seems to be a novel approach not only indicating the independence of affiliates from operators but perhaps also paving the way for a new trend in ransomware attacks," NCC Group wrote in the report.
Ian Usher, deputy global head of threat intelligence at NCC Group, said the novel approach takes that initial access broker model one step further; where the broker laid the groundwork and then offers the victim to the highest bidder. The initial access broker can equally sell it to two ransomware groups at the same time, and whoever deploys it second is more likely to get the higher ransom, he said.
While Usher said NCC Group has seen significant overlapping activity throughout the initial access and ransomware spaces, he was hesitant to say dual ransomware attacks are a trend at this time.
Ian UsherDeputy global head of threat intelligence, NCC Group
"From an incident response perspective, we quite regularly see multiple threat actors within a victim environment. The likelihood of multiple threat actors deploying ransomware is quite high because of that. A lot of it stems from the level of activity that we're seeing from the initial access brokers," Usher said. "These access brokers are absolutely making a fortune selling those credentials, and you get affiliate groups of the ransomware groups just jumping straight in and it's not surprising we've seen two. It wouldn't surprise me if we saw three at this point. That's kind of the way it's going. It's scary."
Alexander Leslie, threat intelligence analyst at Recorded Future, also listed several factors that may be happening behind the scenes to contribute to the dual ransomware attack threat. For one, ransomware affiliates may work for multiple, yet independent ransomware groups at once. That could account for instances where the same victim appears on two or more ransomware extortion blogs simultaneously, he said.
Like Usher, he addressed the significant role of ransomware as a service in dual attacks.
"It is also a possibility that multiple ransomware groups could be working together on a specific victim. This might explain the phenomenon of dual ransomware attacks," Leslie said in an email to TechTarget Editorial. "It is also possible that the initial access broker could be reselling access to the same victim to multiple ransomware groups at the same time. This is a relatively taboo practice, but sometimes happens."
Additionally, what may appear as a dual ransomware attack could be re-encryption, a tactic employed to increase extortion threats. Leslie said that instead of using the same ransomware variant, the affiliate might use a different variant while operating under the assumption that the victim has already enacted an incident response and remediation plan.
The re-encryption technique may trick the victim into thinking that since it's a different ransomware variant, it must be a different group. However, Leslie said it could very well be the same group leveraging different tools.
"This might make re-encryption and a second round of extortion more effective in extorting payment. Or it could result in a second payment, if the first payment was already made," he said.
Ryan Kovar, distinguished security strategist at Splunk, said while he has heard of dual ransomware attacks, he hasn't observed a significant amount. He said the potential trend speaks to a broader problem with the term "ransomware group and trying to attribute individual attacks to specific gangs or threat actors." Instead, his team refers to the cyber threat as "extortion by cybercriminals."
"I think this is why we should stop using the word ransomware group -- because they're really just criminal organizations that are utilizing ransomware binaries, and attribution is sometimes done because that ransomware group has developed a specific type of ransomware," Kovar said.
Negotiators and payments
Although the notification was published in September, the FBI said it observed dual ransomware attacks and increased data extortion as of July. The use of custom data theft, wiper tools and malware to pressure victims to negotiate began in early 2022, but those efforts seem to be paying off more now.
Ransomware activity and payments dropped last year, but both Chainalysis and Splunk recorded a significant increase throughout 2023. The cryptocurrency analytics vendor determined ransomware operators extorted at least $449.1 million through the first half of 2023, which is $175.8 million more than they stole during the first half of 2022.
Earlier this month, Splunk's "The CISO Report" showed 83% of surveyed participants said they gave in to ransom demands: 18% paid the ransom directly, 37% paid through cyber insurance and 28% paid through a third party.
Last month, cyber insurer Coalition said it negotiated down initial ransom demands by an average of 44%. An increase in the success of negotiators is another recent trend experts have observed in the ransomware landscape.
Jon DiMaggio, chief security strategist at threat intelligence vendor Analyst1, said he's observed ransomware groups discussing victims' lack of payment, or affiliates accepting lowball payments. He particularly monitors the LockBit ransomware group's activity.
"Threat actors are also getting frustrated with negotiators and are trying to do something about it. One affiliate complained that negotiators were adding too much to the process and then lowballing the ransom, wasting everyone's time," DiMaggio said. "LockBit notified their affiliates that their program would not tolerate affiliates giving into low ransoms negotiated by professional negotiators."
To prevent that from happening, DiMaggio said LockBit announced it will now be allowed to demand a ransom set at only 3% of the target company's annual revenue. If the offer is not accepted, the affiliate can make a one-time deal at 1.5% of the target company's revenue. If that isn't accepted, negotiations are terminated. "This is an effort to keep affiliates moving and increase the volume of attacks in addition to increasing extortion revenue," he said.
Arielle Waldman is a Boston-based reporter covering enterprise security news.