Security

5 Questions about Dual Ransomware Attacks

The FBI has warned the public about the threat of dual ransomware attacks. Here’s what healthcare organizations need to know.

Joel Snyder

Joel Snyder, Ph.D., is a senior IT consultant with 30 years of practice. An internationally recognized expert in the areas of security, messaging and networks, Dr. Snyder is a popular speaker and author and is known for his unbiased and comprehensive tests of security and networking products. His clients include major organizations on six continents.

When the FBI issues a warning about a new cyberattack trend, it’s not just hype. Healthcare IT teams should pay attention and adjust tactics if appropriate. Last year, the federal law enforcement agency warned of bad actors using multiple attacks to target the same victims. Here’s what healthcare organizations need to know.

1. What Is Dual Ransomware?

Dual ransomware is the cybercriminal version of “attack in depth.” Rather than depend on a single ransomware toolkit, criminals are deploying multiple ransomware packages at the same time or within a day or two once they’ve gained a foothold in a network. The FBI also warns that cybercriminals are leaving behind dormant data wipers as yet another way to pressure victims into responding to payment demands.

Click the banner below to read the 2024 CDW Cybersecurity Research Report.

2. Why This Attack Method?

Malicious actors are finding it more difficult to break into enterprise networks. As IT managers and vendors get better at blocking attacks, cybercriminals must leverage a smaller number of successful break-ins to ensure that they can hold an organization for ransom. Breaking in is the hard part; the ransomware piece is now a commodity available from more than a half-dozen dark-web vendors. It’s therefore worth it to criminals to make sure that, once they’re in, they can take control, maintain it and maximize their chances of a high payoff. Combining multiple tools with both data encryption and exfiltration techniques, dual ransomware attacks are twice as hard to defeat.

3. Why Is This a Big Deal for Healthcare IT?

Healthcare is one of the most vulnerable industries when it comes to ransomware. Either an encryption attack that locks up important patient data or an exfiltration attack that risks exposing patient health information can cause a lot of damage. Having both occur at the same time is a gut punch when a cybercriminal comes calling.

4. What Defense Tactics Should Be Used?

When healthcare IT teams respond to an attack, they must remember that multiple tools are likely being deployed: Once you find one “wormsign,” you need to keep looking because there are probably more. If you catch an attack early but don’t manage to close the attackers’ path into your network, you may also find new ransomware being deployed while you are cleaning up.

Other standard advice still applies, such as keeping offline, encrypted and immutable backups; tightly restricting remote application access; and having a recovery plan for what to do when criminals damage data or shut down networks.

DISCOVER: How can a partner help you upgrade to immutable storage?

5. How Can Healthcare IT Protect Itself?

Healthcare networks and applications have an especially high level of third-party interactions: billing companies, lab vendors, imaging service providers and so on. Many recent exfiltration attacks in healthcare have come via these third parties, so IT managers should run regular reviews of the security posture of any vendors. They should also actively limit the breadth of access to data for all third parties. Where possible, rate limits should be put into place to reduce the damage if a vendor is compromised.

Editor's note: This article was originally published on April 1, 2024.

Sylverarts/Getty Images