Feds hopelessly behind the times on ransomware trends in alert to industry

An urgent ransomware warning from the Feds has some industry analysts scratching their heads and wondering if Uncle Sam's noggin has been buried in the sand for too long.

On September 27, the FBI issued a security alert about "two trends emerging across the ransomware environment." The first, according to agents, is dual ransomware infections. This is when a victim is hit with two separate strains of malware from the same gang: the first strain comes in, and exfiltrates and encrypts files with a demand for payment as usual, and then a second wave lands and does the same thing again. It's certainly one way to boost ransom revenue.

Most of these double attacks, we're told, happen within 48 hours of each other, and the FBI said it spotted various ransomware families — AvosLocker, Diamond, Hive, Karakurt, LockBit, Quantum, and Royal — being used in this way.

The Feds described the other emerging trend as "new data destruction tactics" being used by miscreants when infecting networks with ransomware. By that, the agents mean intruders are arming malware with code that erases files, putting some extra pressure on victims. Pay up, or not only have your exfiltrated data leaked but also have your filesystems trashed beyond repair.

"In early 2022, multiple ransomware groups increased use of custom data theft, wiper tools, and malware to pressure victims to negotiate," the FBI wrote in its alert [PDF]. "In some cases, new code was added to known data theft tools to prevent detection. In other cases in 2022, malware containing data wipers remained dormant until a set time, then executed to corrupt data in alternating intervals."

While that last point sounds interesting — a sleeper malware of sorts — Emsisoft threat analyst Brett Callow told The Register, "I'm not aware of any cases of delayed-launch malware that corrupts data in alternating intervals."

As to the dual-ransomware trend, Emsisoft's team issued its own PSA about criminals encrypting data using multiple ransomware strains back over two years ago. Back then the biz said this double attack can work in one of two ways: one strain encrypts files, and then another strain encrypts the encrypted data, requiring potentially two ransom payments to restore the information; or one strain scrambles some documents, and the other strain scrambles the rest.

The Register asked other security researchers to get their takes on these "new trends," and the general consensus was these are not new nor novel.

"In 2017, I worked an incident where an organization was hit by ransomware twice in six months using the exact same methodology by the exact same group," Nick Hyatt, cyber practice leader at cyber-risk management outfit Optiv, told The Register. "Last year, an automotive supplier was breached three times by LockBit, Hive, and ALPHV within two months."

This is due, in part, to the growing ransomware economy, Hyatt added.

The ever-expanding number of ransomware-as-a-service operations has resulted in affiliates working for, and using malware developed by, multiple gangs, he opined. Additionally, many of these criminal groups use initial access brokers – miscreants who sell access to the same victim network to more than one ransomware crew. That can lead to an organization being hit twice or more, by the same crew or separate ones.

These changes in the criminal economy are exacerbated by the reality that "organizations move slow" when it comes to security, Hyatt said, making them easy targets for multiple hits. A victim might also still be trying to recover from an infection and improve its defenses when the second wave comes strolling in.

"In the incident response industry, we are used to working in short sprints to deal with active incidents," he told us. "The reality is that companies actually implementing these changes can take a comparatively long time. This is due to ensuring business continuity, bureaucratic red tape and, of course, staffing issues."

Meanwhile, Mandiant's incident response team has "intermittently" assisted in incidents where multiple ransomware variants have been deployed, or a criminal uses data wipers or other destructive actions when negotiations break down, Jeremy Kennelly, senior principal analyst at the the Google-owned security biz, told us.

"However our experience does not suggest that either strategy has been significantly increasing in frequency," Kennelly told The Register.

"When extortion negotiations break down it is very common for actors deploying ransomware to threaten drastic action against an impacted organization, and it is plausible that certain threat groups are starting to lean more heavily on network disruption rather than highlighting the sensitivity of stolen or leaked data, however these two strategies have always co-existed across the ransomware ecosystem," he added. 

• MOVEit breach delivers bundle of 3.4 million baby records
• Feds raise alarm over Snatch ransomware as extortion crew brags of Veterans Affairs hit
• US-Canada water org confirms 'cybersecurity incident' after ransomware crew threatens leak
• Scattered Spider traps 100+ victims in its web as it moves into ransomware

Disruption, in these cases, includes a wide variety of tactics, from wiping data or deploying a second encryptor to an already-compromised environment, to distributed denial of service (DDoS) attacks.

Encrypt-steal-and-DDoS, known as triple extortion attacks, move from simply scrambling data on a victim's machines, to encrypting and then leaking information (aka double extortion), to stealing files, encrypting them, and then also threatening the organization with further network attacks to increase the pressure on them to pay the ransom.

Incident responders and consulting teams, including those at Palo Alto Networks' Unit 42, have been warning about this since at least 2021, as well.

"Mandiant has not observed a significant increase in the prevalence of these trends, however these types of behaviors certainly occur and are important for organizations to consider when developing their incident response and business continuity plans around destructive cyber attacks," Kennelly said.

Optiv cyber practice leader Curtis Fechner also told The Register he wouldn't consider data destruction a new tactic.

"From my perspective this is just another logical extension from using ransomware payloads to encrypt data and make it unrecoverable," Fechner said. "Since these actors are profit-motivated, anything that increases their overall revenue is welcome."

The FBI declined to comment further. ®