Eddie Doyle guides enterprise organizations and corporate leaders to solve challenges in an engaging manner, championing his customers’ projects to fruition through inspirational leadership and deeply provocative thought. As a keynote speaker, Eddie reaches that “Aha!” moment with his audiences, revealing simple, actionable truths to solve problems.

Earlier this month, the U.S. Federal Bureau of Investigation (FBI) issued a warning about new ransomware threat actor tactics. Specifically, the FBI described ‘Dual Ransomware Attacks’ (not to be confused with double ransomware attacks), where threat actors compromise a victim with one strain of ransomware, and within 48 hours to 10 days, deploy a secondary strain of ransomware, resulting in additional damage.

In this CyberTalk.org interview, we speak with Global Cyber Security Strategist, Edwin Doyle, about the issue. Get in-depth insights into the nature of dual ransomware threats, find out about how they could impact decisions around security solutions, and learn about essential dual ransomware prevention measures, enabling you to drive strong cyber security outcomes.

What have you seen in terms of dual ransomware attacks?

Ransomware threat actors are competing to eat their own lunch. Because many ransomware threat actors are eyeing the same companies as potential targets, they’re trying to ‘outdo’ one another with their tactics and thus gain an advantage.

I suspect that as organizations start to realize that they’re going to be targeted multiple times in a sort of “competition” by these threat actors, that will increase the probability of victims resisting ransomware payments.

If organizations are going to be affected by ransomware multiple times, how can they even afford to keep up with ransomware payments? What other choice do they have besides strengthening cyber security measures and leveraging techniques that enable them to move past ransomware?

If anything, what makes these attacks particularly problematic?

One issue is that these ransomware threat actors are deploying different variants of ransomware across the life of the attack. To-date, the types of ransomware observed within dual ransomware attacks include AvosLocker, Diamond, Hive Karakurt, LockBit, Quantum and Royal.

Deployment of different combinations of the above has resulted in complex blends of data encryption, exfiltration and extortion. It’s also meant that the amount of technology needed to contend with and untangle all of this is extensive.

I think what’s going to happen is that end users are going to need to push themselves toward a multi-vendor approach if they don’t have a vendor that has a superior Indicators of Compromise
(IoC) library.

And vendors will have to demonstrate that their IoC library has resistance against a variety of advanced ransomware strains. If vendors can prove that, customers are likely going to be better off with just few vendors, so that they can highlight incidents from their SIEM effectively.

Alternatively, this could play out in such a way where customers scramble to hire multiple vendors, hoping that all of the IOCs from these vendors will cover the ransomware variants deployed within these new dual ransomware attacks. However, the problem with that, of course, is it’s going to lead to a lot more noise – because, the more vendors that an organization has, the more overrun and overwhelmed the SIEM, reporting and alerting is going to be.

Is there anything that organizations should do in order to prevent these types of threats?

As far as prevention goes, it’s much like brushing teeth. It demands routine and consistent effort. However, I think people don’t particularly like brushing their teeth, do they? While cyber security professionals may not always find basic cyber hygiene measures exciting, they’re essential when it comes to taking a proactive approach. But to be even more specific:

  • Endpoint security. Prevent ransomware intrusions by using endpoint security software. Stop malicious encryption; deploy endpoint protection.
  • Off-site and offline backups. Air-gapped backups that are that are tested in tabletop exercises are essential. I mentioned ‘tested in tabletops’ because so many people have backup systems put into play, but don’t visit them for six months, only to belatedly realize that the systems may become overwhelmed.It’s important to have monthly or quarterly tabletop exercises, so that you can do a mock test of bringing your backups into fruition.
  • Obviously, blocking common forms of entry with things like VPN and an RDP console.
  • Intrusion detection would likely be another one. That’s more of an MDR conversation.

Is there anything else that you’d like to share with the Cyber Talk audience in relation to dual ransomware threats?

Second ransomware attacks often appear within 48 hours of the first attack, although the interim between attacks may be as long as 10 days.

I would say that, again, security leaders will see results from security initiatives if they’re consistent. It’s about ‘brushing teeth,’ so to speak. It’s about patching regularly and taking care the basics well.

Going back to tabletop exercises – What should organizations do if ransomware threats strike twice in quick succession? You’ll know the answer if it’s been included in your tabletop exercises!

The potential for dual ransomware attacks is likely something that cyber leaders haven’t previously considered including in tabletop exercises. Nonetheless, they should certainly include dual ransomware incidents in tabletops.

For more insights from Global Cyber Security Strategist Edwin Doyle, please see CyberTalk.org’s past coverage. Lastly, to receive timely cyber security insights and cutting-edge analyses, please sign up for the cybertalk.org newsletter.