Ransomware gangs destroying data, using multiple strains during attacks: FBI

Ransomware gangs are shifting their tactics to include multiple strains in the same attack and destructive tools beyond encryption or theft, the FBI warned this week.

Gangs are increasingly using “custom data theft, wiper tools, and malware to pressure victims to negotiate,” a white notice published Wednesday said.

“In some cases, new code was added to known data theft tools to prevent detection. In other cases in 2022, malware containing data wipers remained dormant until a set time, then executed to corrupt data in alternating intervals.”

The FBI explained that as of July they are also seeing several groups using a combination of two ransomware strains during attacks.

The AvosLocker, Diamond, Hive, Karakurt, LockBit, Quantum, and Royal variants have been deployed alongside one another during incidents, making it difficult for defenders preparing for one or the other.

“This use of dual ransomware variants resulted in a combination of data encryption, exfiltration, and financial losses from ransom payments. Second ransomware attacks against an already compromised system could significantly harm victim entities,” they said.

Cybersecurity experts had a mixed response to the notice. Emsisoft ransomware expert Brett Callow noted that this is not a new phenomenon, with his company tracking these “double encryption attacks” since early 2021.

At times, he said, ransomware actors will encrypt data with one ransomware strain and then re-encrypt that data with the second strain.

In other instances, hackers will encrypt some data with one strain and the rest with another. The company’s experts theorized that hackers were doing this to complicate the recovery effort, increase the ransom payout potential, and make sure that even if one ransomware failed, the other would get the job done.

Emsisoft has seen the REvil, Netwalker, MedusaLocker and GlobeImposter strains being used in these kinds of attacks.

Allan Liska — threat intelligence analyst at Recorded Future, the cybersecurity firm that is the parent company of The Record — said the trend is often confusing because it muddies the waters in terms of understanding who is launching an attack.

“It does happen that two ransomware groups will deploy at the same time. But, we sometimes see threat actors who are affiliates for multiple ransomware groups posting victim data in multiple places,” he said.

In his view,the focus on data destruction was the more interesting part of the advisory.

“If ransomware groups are increasing the use of data wipers that trigger if negotiations go bad, then it means it is even more important to fully remove all tools/accounts the ransomware actor leaves behind so they can’t activate these tools,” he added.

Destructive wipers have been observed widely in ransomware attacks deployed in the context of war or geopolitical conflict. Russian hackers have used wipers extensively against Ukrainian systems and Iranian actors have used the tools in attacks on both companies and other countries. Wiper malware was also used in an attack that paralyzed Iran's national railway system.

Fortinet security researcher Gergely Révay told The Record last year that wiper malware is increasingly reaching targets outside of Ukraine.

While versions of wiper malware have previously been seen in Ukraine, Japan and Israel, it only recently became a truly global phenomenon. Révay said Fortinet detected wiper malware in 24 countries in the first half of 2022.

The FBI provided a range of recommendations for companies to take, including the maintenance of offline backups and the development of relationships with local FBI offices.