top of page

Ransomware gangs destroying data, using multiple strains during attacks: FBI

Jonathan Greig

30 Sept 2023

Ransomware gangs are shifting their tactics to include multiple strains in the same attack and destructive tools beyond encryption or theft, the FBI warned this week.

Gangs are increasingly using “custom data theft, wiper tools, and malware to pressure victims to negotiate,” a white notice published Wednesday said.

Gangs are increasingly using “custom data theft, wiper tools, and malware to pressure victims to negotiate,” a white notice published Wednesday said.


“In some cases, new code was added to known data theft tools to prevent detection. In other cases in 2022, malware containing data wipers remained dormant until a set time, then executed to corrupt data in alternating intervals.”


The FBI explained that as of July they are also seeing several groups using a combination of two ransomware strains during attacks.


The AvosLocker, Diamond, Hive, Karakurt, LockBit, Quantum, and Royal variants have been deployed alongside one another during incidents, making it difficult for defenders preparing for one or the other.


“This use of dual ransomware variants resulted in a combination of data encryption, exfiltration, and financial losses from ransom payments. Second ransomware attacks against an already compromised system could significantly harm victim entities,” they said.


Emsisoft has seen the REvil, Netwalker, MedusaLocker and GlobeImposter strains being used in these kinds of attacks.


Destructive wipers have been observed widely in ransomware attacks deployed in the context of war or geopolitical conflict. Russian hackers have used wipers extensively against Ukrainian systems and Iranian actors have used the tools in attacks on both companies and other countries. Wiper malware was also used in an attack that paralyzed Iran's national railway system.


bottom of page