Some things are better in pairs. Socks, dice, animals on arks. Not ransomware.
“Dual” ransomware, a term used in a September advisory from the FBI, is on the rise, according to the agency and other pros who handle ransomware response. The rise in back-to-back attacks is a sign to some that orgs are rushing to return to business following the first incident without properly shoring up defenses.
“They need to be able to generate revenue again. So it’s urgent for them to get back up and running,” said Curtis Fechner, engineering fellow at the cybersecurity-services integrator Optiv. “But what we’re seeing now, and this is what the FBI is seeing, is that they’re not necessarily remediating what is actually addressing the root cause that allowed the ransomware attack to be successful in the first place, which means that somebody else can come in and use more or less the same tactics and hit that same victim.”
Please advise…On Sept. 27, the FBI sent a private-industry notice of a “trend”: ransomware attacks happening in close proximity to one another. The range of time between the dual hits: within two to 10 days. (The majority, however, occurred within 48 hours of each other, said the agency.)
The post also noted a mix of ransomware variants (AvosLocker, Diamond, Hive, Karakurt, LockBit, Quantum, and Royal) and a mix of malicious tactics (data encryption, exfiltration, and ransomtaking).
When one attack occurs, another set of criminals may see an opportunistic opening to go after a weakened target and the exhausted employees.
“They’ve worked hundreds of hours, and they’ve had to rebuild infrastructure that all originally took them years and years to get built and configured…People get done with that. And the last thing they want to do is continue that type of cadence,” said Drew Schmitt, practice lead on the research and intelligence team at the cybersec-services provider GuidePoint Security.
Top insights for IT pros
From cybersecurity and big data to cloud computing, IT Brew covers the latest trends shaping business tech in our 4x weekly newsletter, virtual events with industry experts, and digital guides.
On the rise. A global survey from the security company Barracuda Networks, conducted in December 2022, found that 38% of the surveyed IT professionals had “reported two or more successful ransomware attacks” in the prior 12 months.
A study from the cybersecurity company Sophos, conducted between January and March of 2023, found that the average ransomware payment reached $1,542,333, up from an average of $812,380 in 2022; the survey polled “3,000 IT/cybersecurity leaders.”
For those surveyed who did not pay a ransom and instead used backups to restore data, the median recovery cost was still $375,000.
MedTechDevice reported that the US healthcare company Henry Schein “expects a $0.55 to $0.75 impact to earnings per share related to the business interruption,” after two BlackCat ransomware attacks in the fall of 2023.
The FBI’s September 2023 announcement was one of many fall studies from industry players revealing a rise in ransomware attacks and sophistication.
What’s trending (and why): Fechner has noticed a trend that he believes aligns with the FBI’s: orgs not “closing the loop” after a crisis, reviewing lessons learned, and hardening infrastructure with tools and practices like endpoint detection and response (EDR) products, multi-factor authentication, and company-wide education on incident-response.
The FBI recommended mitigations in their September advisory, including data backups, complex passwords, and network segmentation.
Schmitt, a follower of ransomware trends, has noticed the growing duality of ransomware and aims to examine its roots more closely in 2024.
“What we’re going to really be focusing on is not only the trends associated with seeing this type of activity, but also trying to put some clarification into…whether or not these are coordinated,” Schmitt told IT Brew.