The FBI and the Cybersecurity and Infrastructure Security Agency (CISA) have observed an increase in highly impactful ransomware attacks occurring on holidays and weekends—when offices are normally closed—in the United States as recently as the Fourth of July holiday in 2021.
The FBI and CISA do not currently have any specific threat reporting indicating a cyberattack will occur over the upcoming U.S. Labor Day holiday. However, the two agencies took the opportunity before the holiday weekend to release a statement aimed at sharing information and providing awareness about the need for extra diligence in network defense practices.
“The FBI and CISA encourage all entities to examine their current cybersecurity posture and implement the recommended best practices and mitigations to manage the risk posed by all cyber threats, including ransomware,” the statement said.
No Rest for the Wicked
Cybercriminals may view holidays and weekends—especially holiday weekends—as attractive timeframes in which to target potential victims, including small and large businesses.
“Long, holiday weekends represent an opening for cybercriminals to take advantage of a thinner workforce and people not paying as much attention to their responsibilities at work,” explained Hank Schless, senior manager of security solutions at Lookout, an endpoint-to-cloud security company.
He pointed out that IT and security teams are some of the hardest-working individuals in any organization, which means they deserve a break over long weekends.
“Nevertheless, this means that there are going to be fewer people on call who can immediately respond to security alerts,” he said. “People also may be traveling and not able to access their work computer or mobile device to help stop an attack once they receive an alert of suspicious activity.”
Schless also noted attackers have already become much more advanced in how they gain entry to an organization’s infrastructure—even when teams are fully staffed and working.
“Phishing has become such a widespread issue, especially on mobile devices, that attacks prioritize that strategy to compromise employee accounts and enter the infrastructure unnoticed,” he said.
Once malicious actors have access to credentials, they can move laterally around the infrastructure across SaaS, IaaS and private apps until they find where the “crown jewels” are hidden.
“Without the right user, device and data monitoring solutions in place, a team could miss telltale signs of a compromised account,” he warned. “These signs range from anomalous logins to accessing and exfiltrating compliance-related data.”
A Head Start on the Weekend
In some cases, the strike-on-a-weekend attack tactic provides a head start for malicious actors conducting network exploitation and follow-on propagation of ransomware, as network defenders and IT support of victim organizations are at limited capacity for an extended time.
For example, malicious cyber actors deployed DarkSide ransomware against the IT network of a U.S.-based critical infrastructure entity in the energy sector, leading into Mother’s Day weekend, resulting in a week-long suspension of operations.
During this year’s Fourth of July holiday weekend, Sodinokibi/REvil ransomware actors attacked Kaseya, a U.S.-based critical infrastructure entity in the IT sector and took down their remote monitoring and management tool, affecting hundreds of organizations—including multiple managed service providers and their customers.
Platforms Offer Better Protection
Schless noted teams may be more reliant on automated processes and policies during these stretches when fewer people are working.
“With so many point security solutions, teams could run into operational hiccups where the right alerts don’t end up getting to the right people,” he said. “This is why taking a platform approach to securing your infrastructure is so advantageous. Being able to monitor how your users, devices and data all interact with each other is key to protecting yourself against advanced cyberattacks like ransomware.”
In addition, a platform that enables you to implement dynamic data access, encryption and security policies across all users and devices is a key part of any modern security strategy.
Bill O’Neill, vice president of public sector at ThycoticCentrify, a provider of cloud identity security solutions, also pointed out most of these attacks happen during the holidays, as foreign malicious actors naturally see that IT and security teams at a target organization are either out-of-office or significantly understaffed.
Like Schless, he noted that even though threats will be monitored, trigger automatic alerts and enforce certain lockdowns, those often still require human action for mitigation and additional security controls.
“Because most businesses would prefer to have their data released immediately rather than wait out the duration of a holiday weekend, they’re also more likely to negotiate with attackers and pay the ransom to lessen the long-term risks associated with these attacks,” he said.
With the number of ransomware incidents on the rise—and complaints about all types of internet crime hitting record levels, according to the FBI’s Internet Crime Complaint Center (IC3)—the destructive impact of ransomware continues to evolve beyond encryption of IT assets. Especially on holiday weekends.