Dual Ransomware Variants Impacting the Same Victims and Data Destruction Trends

The Federal Bureau of Investigations (FBI) has released a Private Industry Notification on September 27th, 2023 to bring attention to emerging ransomware trends and to encourage organizations to implement preventative controls to reduce the likelihood and impact of ransomware incidents.  

FBI recommends organizations establish a strong liaison relationship with their local FBI field offices – locations can be found at www.fbi.gov/contact-us/field-offices.  FBI does not encourage organizations pay ransom, but work closely with the agency.

Since July 2023, the FBI came across a trend of dual ransomware attacks in close proximity to one another - cyber threat actors deployed two different ransomware variants against victim companies from the following variants: AvosLocker, Diamond, Hive, Karakurt, LockBit, Quantum, and Royal. Variants were deployed in various combinations. This use of dual ransomware variants resulted in a combination of data encryption, exfiltration, and financial losses from ransom payments. Second ransomware attacks against an already compromised system could significantly harm victim entities.

FBI has released a list of mitigation recommendations to help prevent and recover from potential ransomware attacks. As a first step in preparing for successful mitigation against ransomware incidents, organizations should update their incident response and communication plans and list actions an organization will take if impacted by a cyber incident.

Preparing for Cyber incidents

  • Maintain offline backups of data, and regularly maintain backup and restoration.
  • Ensure all backup data is encrypted, immutable and covers the entire organization’s data infrastructure. Ensure backup data is not already infected.
  • Review the security posture of third-party vendors and those interconnected with your organization. Monitor connections for suspicious activity.
  • Implement listing policies for applications and remote access that only allow systems to execute known and permitted programs under an established security policy.
  • Document and monitor external remote connections. Only documented approved remote management solutions should be installed on workstations.
  • Implement a recovery plan to maintain and retain multiple copies of sensitive or proprietary data and servers in a physically separate, segmented, and secure location.

 

Identity and Access Management

  • Require all accounts with password logins to comply with NIST standards for developing and managing password policies.
  • Use longer passwords - 8 – 64 characters.
  • Implement password complexity, multiple failed login attempts logout, disable password hints, do not require frequent password changes
  • Administrator accounts should have additional layers of security controls
  • Require phishing-resistant multi factor authentication for all services to the extent possible,
  • Review domain controllers, servers, workstations, and active directories for new and/or unrecognized accounts.
  • Audit user accounts with administrative privileges and configure access controls according to the principle of least privilege.
  • Implement time-based access for accounts set at the admin level and higher.

 

Protective controls and Architecture play a critical factor  – segmented networks, monitoring, detecting and investigating abnormal activity with a network monitoring tools, utilize real time detection with antivirus / anti malware software. Secure and closely monitor remote desktop protocol use.

 

Vulnerability and Configuration Management  equally important component of holistic security approach to securing the environment. Ensure all operating systems, software and firmware is updated. Unused ports disabled. Hyperlinks should be disabled from incoming emails, as well as command line scripting activities and permissions. SMB protocol within the network should be restricted to only access servers that are necessary.

 

U.S. Joint Ransomware Task Force (JRTF)

The JRTF, co-chaired by CISA and FBI, is an interagency, collaborative effort to combat the growing threat of ransomware attacks. The JRTF was launched in response to a series of high-profile ransomware attacks on U.S. critical infrastructure and government agencies. For more info on JRTF, see www.cisa.gov/joint-ransomware-task-force.