FBI releases document outlining recent ransomware trends

In a recent notification, the FBI's cyber division outlined emerging ransomware strategies and prevention guidance. 

What happened  

On September 27th, the FBI released information regarding two threat trends. 

One of the trends was noticed by the organization in July. The FBI describes this new trend as "multiple ransomware attacks on the same victim in close date proximity." They found that threat actors would deploy two different ransomware variants against the same company. 

Variants include AvosLocker, Diamond, Hive, Karakurt, LockBit, Quantum, and Royal. These were deployed in various combinations, resulting in data encryption, exfiltration, and financial impact. By compromising companies a second time, it dramatically increased the risk of harm. 

The FBI also noted a second trend, first spotted in early 2022, wherein ransomware groups increasingly use custom data theft, wiper tools, and malware. 

Going deeper

The FBI has several recommendations for organizations in response to the recent threats. Outside of securing data and mitigating attacks, they also recommend organizations "establish and maintain strong liaison relationships with the FBI Field Office in their region." 

To prepare for cyber incidents, the FBI recommends organizations: 

• Maintain offline backups of data that can be accessible quickly in an emergency. 
• Ensure backup data is encrypted and cannot be altered or deleted. 
• Review the security of third-party vendors or organizations that are interconnected with data systems. Many data breaches have recently been connected with third parties or other organizations that the victim organization worked closely with. 
• Implement policies and applications that only allow systems to execute permitted programs. 
• Record and monitor external remote connections, which are frequently used in hacking incidents. 
• Create and implement a recovery plan that allows for access to sensitive or important information in a secure location. 

They also have recommendations for access management, which include:

• Requiring accounts to comply with the National Institute of Standards and Technology, which has password regulations for maximum security. 
• Requiring multifactor authentication
• Auditing of user accounts
• And more to prevent access from threat actors. 

Other recommendations are related to the detection of abnormal activity and specific suggestions to prevent vulnerability, such as disabling hyperlinks in received emails. The full list of recommendations is available here.

Why it matters

As threat actors evolve, organizations must remain diligent in preparing and mitigating threats. 

In the case of multiple attacks, the effects can be devastating if an organization is not adequately prepared or does not have backup data securely stored. By monitoring changing trends, organizations should continually adapt their protection protocols and recovery plans.

The big picture 

Organizations can prepare for and defend against cyberattacks by staying on top of trends and various guidances regarding security. 

Organizations that fail to abide by recommendations may find themselves facing additional legal ramifications if it is discovered they could have prevented data from being stolen. 

Related: 

• The Joint Commission releases guidance on cyberattack response
• HIPAA Compliant Email: The Definitive Guide