Dual ransomware attacks, where a gang will attack a company twice in a few hours, have been flagged by the FBI as a growing cybercrime trend. The US security agency has warned that such attacks often utilise two different strains of the same ransomware to inflict maximum damage, and can result in a combination of data encryption, exfiltration and financial losses from ransomware payments for victims.

dual ransomware attacks
FBI warns of dual ransomware attacks. (Photo by Dzelat/Shutterstock)

Ransomware strains being used in this way are AvosLocker, Diamond, Hive, Karakurt, LockBit, Quantum, and Royal. The FBI advises companies to make backups and encrypt them in order to protect themselves against this level of attack. 

The trend of dual ransomware attacks began in early 2022, the FBI believes. “Multiple ransomware groups increased use of custom data theft, wiper tools, and malware to pressure victims to negotiate” at this time, and “in some cases, new code was added to known data theft tools to prevent detection.”

In other cases in 2022, malware “containing data wipers remained dormant until a set time, then executed to corrupt data in alternating intervals”.

How businesses can protect themselves from dual ransomware attacks

The flash warning released by the FBI advises that companies ought to implement mitigatory procedures to protect themselves from such attacks. The bureau advises that companies keep detailed, regular backups and that they ensure these backups are encrypted, as backups will often be targeted during an attack.

The FBI also suggests reviewing software supply chains and the security set-up of vendors used by businesses. “Ensure all connections between third-party vendors and outside software or hardware are monitored and reviewed for suspicious activity,” states the advisory. “Implement listing policies for applications and remote access that only allow systems to execute known and permitted programs under an established security policy,” it warns. 

The law enforcement agency goes on to urge unprotected companies to document and monitor external remote connections, so that it can implement remote management and maintenance in the event of an attack, and create a recovery plan, where multiple copies of sensitive or proprietary data and servers are kept in a physically separate place to the originals. 

“The FBI further recommends organisations review and, if needed, update incident response and communication plans that list actions an organisation will take if impacted by a cyber incident,” the agency said.

Read more: FBI takes down Qakbot network used by ransomware gangs