The FBI has issued a warning about emerging ransomware trends [4] [9], specifically the rise in dual ransomware attacks and the use of custom data theft and wiper tools by ransomware groups. These tactics pose significant harm to compromised systems and can worsen the impact on already compromised entities.


Since July 2023 [5], the FBI has observed two trends in the ransomware environment [5]. The first trend involves cybercriminals launching multiple ransomware attacks on the same victim within a short timeframe [5], using different ransomware variants such as AvosLocker [5] [8], Diamond [1] [4] [5] [7] [8], Hive [1] [4] [5] [7] [8], Karakurt [1] [4] [5] [7] [8], LockBit [1] [4] [5] [7] [8], Quantum [1] [4] [5] [7] [8], and Royal [1] [5] [7] [8]. These attacks encrypt data, exfiltrate information [5], and demand ransom payments [5], causing delays in remediation efforts [5]. The second trend involves multiple ransomware groups pressuring victims into negotiation by using custom data theft tools and malware. Some attackers modify known data theft tools to avoid detection [1] [5] [8], while others use malware with data wipers that activate at specific times to corrupt data [3] [5].

To increase the likelihood of ransom payments [2], foreign cyber adversaries are evolving their tactics by launching multiple ransomware attacks on vulnerable organizations and using a ‘ticking’ data destruction ‘time bomb’ [2]. In response, the FBI recommends maintaining multiple offline copies of highly secure, encrypted [2] [3] [4] [5] [7], and immutable backups [2] [3]. Immutable backups are essential to prevent encryption [2], deletion [1] [2] [3] [5] [6] [7] [8], or alteration of data during a ransomware attack and facilitate data and network restoration without paying a ransom [2].

To protect against these evolving tactics, organizations are advised to review third-party vendors’ security posture and implement application listing policies for controlled execution [3]. By doing so, they can better defend against the use of custom data theft and wiper tools. Additionally, organizations should ensure that their offline data backups are regularly updated and securely stored. These backups should be encrypted and immutable to prevent any unauthorized access or alteration. It is also important for organizations to monitor connections with third-party vendors, keep software up to date [1], follow password policy standards [1], implement multi-factor authentication [1], and review domain controllers [1], servers [1], and active directories for unrecognized accounts [1].


The FBI’s warning highlights the increasing sophistication of ransomware attacks, with cybercriminals using multiple malware strains to encrypt entire systems in just two days [4]. This escalation poses a significant threat to organizations, as the shorter timeframe increases the potential for financial losses and subsequent extortions. The use of dual ransomware variants and custom data theft and wiper tools further complicates the situation. However, organizations can mitigate these risks by implementing the FBI’s recommended measures, such as maintaining secure backups and reviewing security posture. It is crucial for organizations to stay vigilant, adapt their security strategies, and prioritize proactive measures to defend against evolving ransomware tactics.