The FBI has issued a warning about a rising trend in cyberattacks – dual ransomware attacks, where cybercriminals carry out two or more attacks in rapid succession, using different ransomware variants. These attacks pose a significant threat to organizations, as they can result in extensive damage and high costs. To break free from this vicious cycle, CIOs and CISOs must adopt a new approach to cybersecurity and recovery.
The Dual Ransomware Threat
Dual ransomware attacks involve criminals executing multiple attacks with a short time gap, ranging from 48 hours to a maximum of ten days. Attackers use two different ransomware variants against their targets, amplifying the potential damage and costs. Notable ransomware variants include AvosLocker, Diamond, Hive, Karakurt, LockBit, Quantum, and Royal. Furthermore, ransomware groups are increasingly deploying custom data theft and wiper tools to pressure victims to negotiate.
To mitigate the impact of dual ransomware attacks, organizations need to reassess their cybersecurity strategies and focus on key areas that insurers assess during underwriting.
Recovery Workflows Must Evolve
During a cyber-attack, IT teams operate under immense pressure to restore systems and minimize downtime. However, a common error in this situation is the reliance on traditional recovery workflows designed for disasters like floods or power loss. These workflows restore systems quickly but often overlook the root causes of the cyberattack. As a result, malicious artifacts, compromised passwords, and vulnerabilities exploited by attackers remain unresolved.
Rebuilding systems without addressing these security gaps lays the foundation for an endless cycle of attacks. To break free from this loop, organizations must modernize their system recovery processes.
The Cleanroom Approach
To combat dual ransomware attacks effectively, infrastructure and security teams must work together to understand the attack’s nature and mitigate its recurrence. A “cleanroom” environment serves as an ideal place for this collaboration. In the cleanroom, all involved teams can work in parallel with copies of production data, creating an isolated, secure environment.
Modern data security and management platforms facilitate this process by delivering snapshot versions of systems into the cleanroom. These snapshots are protected against external attacks through vaulting, immutable storage, multi-factor authentication, and encryption. Within this environment, digital forensics can analyze systems at various stages of the attack, and security tools can be deployed to address vulnerabilities and enhance protective and detective controls.
Preventing a Follow-up Attack
The response actions in the cleanroom might extend the recovery time objective, but they are crucial for preventing a follow-up attack. Vulnerabilities must be patched, malicious accounts removed, and security controls strengthened to bolster cyber resilience. While IT teams may prioritize restoring critical systems, the CIO and CISO should coordinate and adjust recovery timelines and operational costs.
Conclusion
Dual ransomware attacks pose a severe threat to organizations, driving up damage and associated costs. To defend against these attacks, CIOs and CISOs must adapt their recovery workflows and embrace a modernized approach that involves collaboration, isolation, digital forensics, and vulnerability mitigation. By prioritizing cybersecurity and taking comprehensive measures to address vulnerabilities, organizations can break free from the cycle of attack and re-attack, ultimately enhancing their cyber resilience.
