The Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) have released a notice to all public and private sector establishments concerning the greater risk of ransomware attacks at times when offices are typically closed, for instance, long holiday weekends.
Although a lot of employees are going to be having a long weekend off on account of Labor Day, this is a moment when threat actors are typically really active. The minimal staff numbers for the duration of holidays and weekends make it unlikely that their attacks will be noticed and stopped up. The CISA and the FBI mentioned in the notice that they have noticed a growth in very impactful ransomware attacks happening on breaks and weekends, and gave numerous instances of threat actors executing attacks on holiday weekends in the United States in 2021.
Recently, the Sodinokibi/REvil ransomware actors carried out an attack on the Kaseya remote monitoring and management tool through the Fourth of July 2021 holiday break. The attack impacted countless of institutions such as a number of managed service providers and their downstream consumers.
During the Memorial Day weekend in May 2021, the same threat actors executed a ransomware attack on JBS Foods, which affected the company’s food production facilities in the United States, so that all production had to halt. JBS Foods paid out the $11 million ransom to get the keys for decrypting files and avert the posting of records stolen in the attack.
Prior to the Mother’s Day weekend break in May, the DarkSide ransomware gang performed its attack on Colonial Pipeline that resulted in the shut down of the fuel pipeline serving the Eastern Seaboard for a week. Colonial Pipeline paid out a $4.4 million ransom to boost recovery from the attack.
The ransomware attackers responsible for the cyberattacks on Colonial Pipeline, Kaseya, and JBS Foods have closed down their operations, nevertheless, threat actors hardly ever continue to be inactive for a long time. It is usual for them to remerge with a new ransomware operation after a time period of apparent dormancy. There are furthermore numerous other ransomware threat actors that are at present extremely active that may try to exploit the absence of essential workers over the holiday weekend break.
The ransomware actors associated with the Conti, PYSA, LockBit, RansomEXX/Defray777, Zeppelin, and Crysis/Dharma/Phobos ransomware variants have all been active during the past month and attacks regarding those ransomware variants have generally been reported to the FBI within the last 4 weeks.
Though neither CISA nor the FBI has uncovered any specified threat intelligence to point out ransomware or other cyberattacks will take place across the Labor Day weekend, based upon the attack trends thus far this year, there is a heightened risk of a serious cyberattack taking place.
Therefore, the FBI and CISA are recommending security teams to be specifically cautious and to make sure that they are careful in their network defense strategies, do preemptive threat search on their systems, comply with recommended cybersecurity and ransomware procedures, and utilize the preferred mitigations to lessen the risk of ransomware and other cyberattacks.
Those mitigations comprise of:
- Produce an offline backup copy of records and testing backups to make certain it’s possible to recover data
- Not clicking suspicious hyperlinks in emails
- Protect and keep an eye on RDP connections
- Update operating systems and software programs and search for vulnerabilities
- Set strong passwords
- Implement multi-factor authentication
- Protect networks by using segmentation, filtering traffic, and checking ports
- Safeguard user accounts
- Develop an incident response strategy
Proposed recommendations, mitigations, and sources are detailed in the notification, which is available on this link.