The Rise of Dual Ransomware Attacks

Ransomware shows no signs of slowing as 2024 approaches. A report from Corvus Insurance found a 110.43% year-over-year increase in the number of ransomware victims posted on leak sites in November 2023. And threat actors are continuing to explore new ways to make ransomware attacks even more profitable.

In September 2023, the FBI released a private industry notification warning of a growing trend in the ransomware landscape. As of July 2023, it identified a trend of cyber threat actors deploying two or more ransomware variants against the same victim. These dual attacks can compound the consequences for victims: data encryption and exfiltration and financial losses. The FBI also noted that ransomware groups have been upping the pressure on victims since early 2022, leveraging malware, wiper tools, and custom data theft as negotiation tactics.

What can dual ransomware attacks look like, and how can CISOs and their teams reduce the risk of their enterprises becoming victims?

Back-to-Back Attacks

The FBI considers dual ransomware attacks to be attacks against the same victim within 10 days or less, with the majority of these dual attacks taking place within 48 hours of one another, according to the private industry notification.

“I think we're all still trying to figure out exactly the reason why this is happening,” says Margaux Weinraub, cyber practice leader at The Graham Company, an insurance brokerage. These dual attacks are still an emerging trend, and they could be executed in different ways.

Related:5 Things You Can Do Today to Prepare for 2024’s Security Threats

“It could just be as simple as a really, really bad coincidence where two actors independently find the same vulnerability within a short amount of time and make use of that,” says Trevor Hilligoss, vice president, SpyCloud Labs.

In some cases, a single threat actor could be behind a dual ransomware attack, leveraging the same vulnerability to doubly extort a victim. The group may get a victim to pay the initial ransomware demand and decide to try for more. “They might use a different ransomware strain [and] pretend to be a different ransom group to extort that same victim again,” explains Jonathan Braley, operations manager at IT-ISAC, a cyber threats and information sharing nonprofit.

Posing as two different groups can prevent the word from getting out that a particular group doesn’t honor its word after receiving an initial payment.

In the private industry notification, the FBI notes different variants being used in these dual attacks include AvosLocker, Diamond, Hive, Karakurt, LockBit, Quantum and Royal.

Related:7 Security Trends to Watch Heading into 2024

Kurtis Minder, CEO of GroupSense, a digital risk protection services company, points out that LockBit has adapted its platform to deploy multiple kinds of encryption tools. “They're using a ransomware deployment platform that can deploy multiple kinds of ransomware malware at a time,” he tells InformationWeek. “So, the fact that they've just written [that] into the code I think is an indicator that we are going to continue to see it.”

It is also possible that initial access brokers are playing a role in dual attacks. It is typically considered taboo for these brokers to resell access after it has been purchased by one threat actor, according to Hilligoss. But that could be changing. “Maybe this indicates that access brokers are just selling … more freely,” he says.

Double the Trouble

When an organization is hit with a ransomware attack, it triggers a mad dash to determine the access point, what systems have been compromised, any persistent access, and the scope of the damage. With a second attack happening within hours or days, an organization may not have completed incident response and remediation for the first.

“Companies that aren't prepared for that first ransomware attack … may have actually taken down more systems than they needed to [and] just made themselves more vulnerable for the second one,” shares James Gerber, CFO of cybersecurity company SimSpace.

Related:2023 Cyber Risk and Resiliency Report: How CIOs Are Dueling Disaster in 2023

Two ransomware attacks mean that companies could be facing more data encryption, more data exfiltration, more data leaks, and multiple demands for payment.

If an enterprise is dealing with a single attacker behind two attacks, they could be facing the challenge of different ransomware strains. How did the two strains impact an organization’s systems, and what will it take to remediate and return to normal operations? How much data was taken? Ransomware groups can take that exfiltrated data to leak sites to up the pressure on victims to pay.

If two different attackers are in play, recovery can be even more complicated. Two different attackers may encrypt the same files. “We've had a couple of cases where the first ransomware incident occurs. They encrypted a bunch of files. In the midst of dealing with that a second attack…those attackers encrypt the encrypted files of the other attackers,” Minder shares. “If that happens, where you get encrypted files encrypted again, the likelihood of corruption goes up thousand percent, and you may not get your files back at all.”

While collaboration between threat actors is not unheard of, two different groups may be at odds when attacking the same victim. Which actor do you negotiate with first? Which decryption key do you need for what files? “Actor one doesn't care that actor two is involved, and so, they both have their timetables and you as a victim,” says Minder.

A single ransomware attack can have a negative impact on an enterprise’s brand. Customers and partners can lose trust when their data is compromised. Another attack can cause further brand damage. “If you [have to come back] 10 days later and say ‘Hey, another ransomware group has hit us. We’ve lost data again. We’re working to remediate.’ I think that's going to be bad,” says Braley.

The ripple effect of multiple attacks can be felt internally as well. Dual ransomware attacks can be emotionally taxing and demoralizing for incident response teams. In an industry that struggles with burnout, organizations might find that their security talent is ready to move on after a dual attack. “You're talking probably about a significant amount of attrition on your IT staff almost immediately,” says Minder.

The financial impact of ransomware will increase when an organization experiences two attacks in quick succession. An organization may opt to pay more than one ransom demand. If it opts not to pay, it will need to work through the financial ramifications of any lost and leaked data.

Cyber insurance can help offset the financial impact of a ransomware attack, but an organization that is hit twice in a short time period may find that it exceeds its policy limits. Its insurance carrier may also reassess the level of risk that organization represents when it comes time for the policy’s renewal.

Risk Reduction

How can organizations minimize the likelihood of becoming the victim of a dual ransomware attack? Incident response is essential. “Having monitoring capabilities, logging capabilities that you can [use to] quickly try to figure out how this threat actor breached you will hopefully help you close that hole so that another ransomware group doesn't come in,” says Braley.

Effective incident response is developed before an incident ever occurs. While penetration testing and tabletop exercises are valuable, Gerber argues that severe incidents, like dual ransomware attacks, require more preparation. Organizations that practice the response to these types of events in replicas of their systems may be able to withstand ransomware attacks before they become material in impact. “These things are just so severe. You can't practice for them in your production environment, or you'll break something,” he says.

Cyber insurance also has an important role to play in reducing an organization’s risk exposure, but it cannot stand alone. “Insurance is meant to be a form of balance sheet protection for organizations,” says Weinraub. “Cyber insurance is never going to be the end all be all or mutually exclusive, either you need to have a strong security posture, or you need to have an insurance policy.”

While the way an organization responds to a ransomware attack is crucial, Hilligoss emphasizes the importance of taking a step back to understand how threat actors are gaining access. “Exploring how that access is gained, and then, how that is sold, is really key in my opinion to understanding the problem with ransomware,” says Hilligoss.

Research from SpyCloud, for example, has found a connection between infostealer malware, which is used to siphon credentials, and ransomware attacks. Of 2,613 North American and European ransomware victims in 2023, 30% were infected by infostealer at least once prior to suffering a ransomware attack, according to SpyCloud’s Ransomware Defense Report 2023.

Understanding how threat actors are getting access and then selling it can inform organizations’ approach to defensive strategies.

More Ransomware Attacks to Come

Ransomware is expected to continue in 2024. While some ransomware events are public knowledge, the new cybersecurity incident disclosure rules for public companies from the US Securities and Exchange Commission (SEC) could increase visibility. “I think with those new rules, we’re going to probably see that ransomware is more prevalent than we probably even realized,” says Braley.

The surge in artificial intelligence capabilities also portends more attacks. Ransomware groups are going to use AI in creative ways to target victims, whether for a single attack or multiple. “In case organizations are … feeling a little unprepared for the manual version of ransomware, just wait for when AI is assisting that,” says Gerber.

While ransomware trends may evolve, it is likely to be a persistent threat as long as it remains lucrative.