Ransomware Attacks Happening More on Holidays and Weekends
FBI and CISA Are Urging Organizations to Make Sure They Have Good Defense Capabilities in Place.
FBI and CISA are urging the organizations to not let down their defenses against ransomware attacks as they’ve noticed an increase in attacks during the weekends or holidays.
The federal agencies FBI and CISA “observed an increase in highly impactful ransomware attacks occurring on holidays and weekends—when offices are normally closed—in the United States, as recently as the Fourth of July holiday in 2021.”
The two federal agencies do not have any intel regarding future possible attacks but they urge companies to be on the lookout as the previous attacks against large companies like Colonial Pipeline, JBS, and Kaseya happened during the weekend.
This is a very concerning tactic as JBS ended up paying an $11 million ransom to the REvil ransomware gang after the Memorial Day weekend attack and Colonial Pipeline paid $4.4 million ransom to the DarkSide group.
In May 2021, leading into Mother’s Day weekend, malicious cyber actors deployed DarkSide ransomware against the IT network of a U.S.-based critical infrastructure entity in the Energy Sector, resulting in a week-long suspension of operations. After DarkSide actors gained access to the victim’s network, they deployed ransomware to encrypt victim data and—as a secondary form of extortion—exfiltrated the data before threatening to publish it to further pressure victims into paying the ransom demand.
In May 2021, over the Memorial Day weekend, a critical infrastructure entity in the Food and Agricultural Sector suffered a Sodinokibi/REvil ransomware attack affecting US and Australian meat production facilities, resulting in a complete production stoppage.
In July 2021, during the Fourth of July holiday weekend, Sodinokibi/REvil ransomware actors attacked a U.S.-based critical infrastructure entity in the IT Sector and implementations of their remote monitoring and management tool, affecting hundreds of organizations—including multiple managed service providers and their customers.
CISA Is Able to Provide Help
According to the joint advisory, the most active ransomware groups at this moment are Conti, PYSA, LockBit, RansomEXX/Defray777, Zeppelin, and Crysis/Dharma/Phobos.
Although cyber criminals use a variety of techniques to infect victims with ransomware, the two most prevalent initial access vectors are phishing and brute forcing unsecured remote desktop protocol (RDP) endpoints.
CISA offers a range of no-cost cyber hygiene services—including vulnerability scanning and ransomware readiness assessments—to help critical infrastructure organizations assess, identify, and reduce their exposure to cyber threats.
By taking advantage of these services, organizations of any size will receive recommendations on ways to reduce their risk and mitigate attack vectors.
In order to be better protected and able to block any future attacks, organizations should make sure they have taken specific actions to protect their systems, like:
- Having an offline backup of the data.
- Educating their staff to not access any suspicious links.
- Securing and monitoring all endpoints.
- Updating regularly any OS and software used in the company.
- Using strong passwords.
- Using multi-factor authentication.