The Federal Bureau of Investigation (FBI) issued a Private Industry Notification on September 27, 2023, highlighting two concerning ransomware trends and providing companies with guidance on mitigating potential threat actor activity.
As of July 2023, the FBI observed multiple ransomware attacks where two attacks against the same victim involving different ransomware variants are deployed often within 48 hours of one another. Ransomware variants include different combinations of AvosLocker, Diamond, Hive, Karakurt, LockBit, Quantum, and Royal. “Second ransomware attacks against an already compromised system could significantly harm victim entities,” said the FBI. These dual ransomware attacks have resulted in a combination of data encryption, exfiltration, and financial losses from ransom payments.
Another notable trend in ransomware attacks involves new data destruction tactics designed to pressure victims to negotiate. The FBI noted that multiple ransomware groups observed in early 2022 have begun adding new code to their custom data theft tools, wipers, and malware to avoid detection. In other instances, malware deployed on a compromised system contains wiper tools that remain dormant until a set time, when the threat actor executes the tool to corrupt data in alternating intervals.
Organizations are advised to strengthen their networks by maintaining offline data backups, closely monitoring external remote connections and remote desktop protocol (RDP) use, enforcing multifactor authentication (MFA) across all services, reviewing the security posture of third parties and vendors, and timely patching updates. The FBI further highlighted the importance of performing comprehensive scans of an organization’s environment to identify potential vulnerabilities and implementing network segmentation to restrict the spread of ransomware. Auditing user accounts and securing accounts with strong passwords that comply with National Institute of Standards and Technology (NIST) standards are also recommended.
Organizations are encouraged to report suspicious or criminal activities to their local FBI field offices or ic3.gov. Reports should include the date, time, location, type of activity, number of people affected, type of equipment used for the activity, the name of the organization, and a designated point of contact.