Dual Ransomware Attacks: A Quicker Route to Extortion

The fact that over 10,000 organizations appeared on leak sites in 2023, the most since 2019, is a microcosm of the growing ransomware menace. Leak sites are a name-and-shame tactic used by ransomware operators to extort ransom fees from organizations that refuse to pay. Leak sites do not reveal the full scope of impact from ransomware attacks. However, they do provide insight into emerging ransomware as a service groups and ongoing trends such as dual ransomware attacks, where after the initial compromise they send a secondary strain to inflict even more damage.

Ransomware as a service operators, the main culprits behind leak sites, are exploiting more zero-day vulnerabilities. In March 2023, CLOP—the group with the third-highest number of victims on leak sites—exploited an unknown vulnerability in GoAnywhere MFT (a secure file transfer company) to spread ransomware to 48 victims. In May 2023, CLOP repeated this dubious trick on MOVEit.

CLOP’s novel zero-day campaigns suggest that ransomware gangs have the financial and technical capabilities to exploit unknown vulnerabilities. According to Dr. Darren Williams, Founder and CEO of BlackFog, “We have seen are dramatic increase in the attack rates of CLOP throughout 2023, representing 10.2% of all attacks,  coming in third overall. However, the effectiveness is questionable, with CLOP not even in the top 5 in the number of reported (verified) attacks for the year.

In recent years, ransomware attackers have broadened their techniques, sometimes launching many variants of ransomware on the same organization concurrently or in rapid succession. This approach, which is similar to ‘double extortion,’ encrypts the victim’s data before threatening to disclose or sell the exfiltrated data unless a ransom is paid. In its many advisories, the US Federal Bureau of Investigation (FBI) underlined these developing strategies, emphasizing the rising complexity and diverse nature of these dual ransomware attacks.

Innovation guides the strategy of malware attackers, who always seek illicit, creative ways to evade security detection. This high quest for success explains why ransomware gangs are attacking with unprecedented speed and new tactics. Dual ransomware attacks reflect the latest cybercriminal mindset: to attack organizations as rapidly and aggressively as possible while they are still recovering from previous breaches.

The technique explains why most double ransomware intrusions occur within 48 hours of each other, according to the FBI’s threat analysis from September 2023. The expedited nature of dual ransomware attacks and breaches also aligns with Secureworks’ observation that it takes ransomware operators an average of 24 hours to access a network and carry out their exploits.

The spread has been attributed to the simplicity of operations. Threat actors aren’t conducting the same operations more quickly, but rather, conducting simpler operations. More sophisticated attacks are by nature more difficult to execute and take longer to carry out.

Meanwhile, the FBI noted that AvosLocker, Diamond, Hive, Karakurt, LockBit, Quantum, and Royal were among the primary perpetrators of dual ransomware attacks. Likewise, Bill Spiegel (CEO and co-founder of Coveware) added MedusaLocker and Globemposter to the growing list of cybercriminal groups specializing in dual ransomware attacks.

Their modus operandi involves using affiliates to spread different ransomware variants. As Spiegel revealed to BleepingComputer, “[There are] situations where the initial access broker sells access to the network to two different ransomware affiliates that use different brands of ransomware. Both affiliates are then in the network, impacting machines in close time proximity to each other.”

A prominent example of a dual ransomware breach occurred in June 2023 when ALPHV/BlackCat and CLOP breached the beauty company Estée Lauder. BleepingComputer believes CLOP exploited a previously unknown vulnerability in the MOVEit Transfer platform to gain unauthorized access to Estée Lauder.

Whether employing double extortion techniques or innovative, unforeseen strategies, ransomware as a service groups are masters of stealth. They typically rebrand after 17 months, making them difficult for security teams to track. Their persistence indicates that organizations can no longer afford to consider cybersecurity an afterthought.

Investing in cybersecurity expertise is the first step towards taming the wings of ransomware families, which are skilled at exploiting ignorance and human vulnerabilities through social engineering techniques such as phishing and vishing. In 2023, for example, phishing emails were the conduit for nearly a third of ransomware attacks. Similarly, vishing—the ruse employed to deduce critical information over phone calls—was utilized as an attack vector in the infamous MGM hack in 2023. A skilled workforce, on the other hand, improves the odds of detecting and containing threats. According to IBM Security, organizations with a trained workforce spend 12.8% less on data breaches in 2022 than firms with unskilled employees.

Another strategy to combat multiple ransomware threats is to implement a zero-trust culture. The concept of zero trust eliminates the concept of trusting entities (people, processes, and systems). Instead, it employs strict access control procedures to ensure that only permitted organizations have access to the resources they require for a set period of time.

The zero trust principle inhibits the lateral expansion of malware in the context of ransomware violations, perhaps nipping their efficiency in the bud before harming vital systems. According to IBM Security, firms that use a mature zero-trust approach spend less on breaches.

BlackFog is the leader in anti data exfiltration (ADX), a must have technology for organizations that understand the value of data and prevention-based security policies. Keeping data from leaving your network reduces overall risk, optimising cybersecurity compliance and audit outcomes across the board. Arrange a demo with us today to find out how we can assist you and your organization.