Critical infrastructure
Identity and Access Management (IAM)
Malware, Phishing & Ransomware
News
Regulation, Standards and Compliance
System Design & Architecture
Technology & Solutions
Threat Landscape
Vulnerabilities

FBI details two or more ransomware variants impacting same victims, data destruction trends

September 28, 2023
FBI details two or more ransomware variants impacting same victims, data destruction trends

The Federal Bureau of Investigation (FBI) published Wednesday a Private Industry Notification (PIN) highlighting emerging ransomware trends that are impacting the same victims and identified data destruction trends. As of July this year, the FBI noted that these new trends included multiple ransomware attacks on the same victim in close date proximity and new data destruction tactics in ransomware attacks. Organizations are encouraged to implement the recommendations in the ‘Mitigations’ section to reduce the likelihood and impact of ransomware incidents.

“The FBI noted a trend of dual ransomware attacks conducted in close proximity to one another,” according to the FBI PIN. “During these attacks, cyber threat actors deployed two different ransomware variants against victim companies from the following variants: AvosLocker, Diamond, Hive, Karakurt, LockBit, Quantum, and Royal.”

Additionally, the agency revealed that variants were deployed in various combinations. “This use of dual ransomware variants resulted in a combination of data encryption, exfiltration, and financial losses from ransom payments. Second ransomware attacks against an already compromised system could significantly harm victim entities,” it added. 

In early 2022, multiple ransomware groups increased use of custom data theft, wiper tools, and malware to pressure victims to negotiate, the FBI disclosed. “In some cases, new code was added to known data theft tools to prevent detection. In other cases in 2022, malware containing data wipers remained dormant until a set time, then executed to corrupt data in alternating intervals.”

The FBI recommends that network defenders apply mitigations to limit potential adversarial use of common system and network discovery techniques and reduce the risk of compromise by ransomware. 

When it comes to preparing for cyber incidents, organizations must maintain offline backups of data, and regularly maintain backup and restoration. By instituting this practice, the organization ensures they will not be severely interrupted, and that backup data will be accessible when it is needed; ensure all backup data is encrypted, immutable (that is, cannot be altered or deleted), and covers the entire organization’s data infrastructure, while also ensuring that the backup data is not already infected. 

They must review the security posture of third-party vendors and those interconnected with the organization, the FBI document said. “Ensure all connections between third-party vendors and outside software or hardware are monitored and reviewed for suspicious activity. Implement listing policies for applications and remote access that only allow systems to execute known and permitted programs under an established security policy,” it added.

The FBI also called for Identity and Access Management (IAM) requiring all accounts with password logins to comply with National Institute of Standards and Technology (NIST) standards for developing and managing password policies. They also require phishing-resistant multi-factor authentication for all services to the extent possible, particularly for webmail, virtual private networks, and accounts that access critical systems; review domain controllers, servers, workstations, and active directories for new and/or unrecognized accounts; and audit of user accounts with administrative privileges and configure access controls according to the principle of least privilege. 

The federal agency also directed application of protective controls and architecture to segment networks to prevent the spread of ransomware. They must also work to identify, detect, and investigate abnormal activity and potential traversal of the indicated ransomware with a networking monitoring tool; install, regularly update, and enable real time detection for antivirus software on all hosts; and secure and closely monitor remote desktop protocol (RDP) use. 

The notification also applied to vulnerability and configuration management that keep all operating systems, software, and firmware up to date. Timely patching is one of the most efficient and cost-effective steps an organization can take to minimize its exposure to cybersecurity threats. They must also disable unused ports; consider adding an email banner to emails received from outside the organization; disable hyperlinks in received emails; and disable command-line and scripting activities and permissions. Furthermore, privilege escalation and lateral movement often depend on software utilities running from the command line. 

It also called upon ensuring that devices are properly configured and that security features are enabled. They must disable ports and protocols that are not being used for a business purpose; and restrict Server Message Block (SMB) protocol within the network to only access servers that are necessary, and remove or disable outdated versions of SMB (such as SMB version 1).

Earlier, on Wednesday, U.S. and Japanese security agencies jointly released a cybersecurity advisory (CSA) outlining the actions of cyber hackers associated with the People’s Republic of China (PRC) known as ‘BlackTech.’ The hacker group has exhibited the ability to covertly alter router firmware and exploit domain-trust relationships in routers, enabling them to pivot from international subsidiaries to target headquarters in Japan and the U.S.

The authoring agencies furthermore recommend implementing the mitigation described to detect this activity and protect devices from the backdoors that the BlackTech hackers are leaving behind.

Anna Ribeiro
Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.

A complimentary guide to the who`s who in industrial cybersecurity tech & solutions

Free Download

Related

Securing cloud, IIoT in Industry 4.0 emerges crucial for protecting industrial operations across OT/ICS environments
Securing cloud, IIoT in Industry 4.0 emerges crucial for protecting industrial operations across OT/ICS environments
Dragos reports decline in ransomware attacks on industrial sector amid law enforcement measures
Dragos reports decline in ransomware attacks on industrial sector amid law enforcement measures
MITRE's CREF Navigator aligns with DoD's CMMC to boost cyber resilience in defense industrial base
MITRE’s CREF Navigator aligns with DoD’s CMMC to boost cyber resilience in defense industrial base
UK’s NCSC debuts CAF v3.2 to address rising threats to critical national infrastructure, boosts cybersecurity readiness
UK’s NCSC debuts CAF v3.2 to address rising threats to critical national infrastructure, boosts cybersecurity readiness
Cisco Talos details ArcaneDoor campaign found targeting perimeter network devices across critical infrastructure
Cisco Talos details ArcaneDoor campaign found targeting perimeter network devices across critical infrastructure
Forescout report warns of growing security risks to critical infrastructure as OT/ICS exposed data escalates
Forescout report warns of growing security risks to critical infrastructure as OT/ICS exposed data escalates
ASIS Foundation reports on impact of autonomous vehicles on security and technology
ASIS Foundation reports on impact of autonomous vehicles on security and technology
European Commission makes €112 million investment in AI, quantum research under Horizon Europe program
European Commission makes €112 million investment in AI, quantum research under Horizon Europe program
MITRE unveils ATT&CK v15 with upgraded detections, analytic format, cross-domain adversary insights
MITRE unveils ATT&CK v15 with upgraded detections, analytic format, cross-domain adversary insights
RMC
Risk Mitigation Consulting acquires Securicon, boosting cybersecurity and mission assurance offerings