CISA Warns of Holiday Ransomware AttacksBefore Labor Day, Agency Cites Recent Attacks Centered on Holiday Weekends
Citing damaging ransomware attacks that it, along with the FBI, has observed over recent holidays, the Cybersecurity and Infrastructure Security Agency issued an alert warning organizations to be prepared as the Labor Day holiday nears.
CISA states there's no threat intelligence signaling an attack is imminent, but it notes that ransomware attacks with high impact have occurred on holidays and weekends over the last several months. The most recent took place during the Independence Day holiday, when REvil, aka Sodinokibi, attacked the managed service provider Kaseya's VSA remote management software platform.
In the runup to any holiday period during which a company will be closed or operating with reduced staff, CISA and the FBI recommend organizations continuously and actively monitor for ransomware threats.
"Additionally, the FBI and CISA recommend identifying IT security employees to be available and 'on call' during these times, in the event of a ransomware attack. The FBI and CISA also suggest applying the following network best practices to reduce the risk and impact of compromise," CISA says.
"Attackers view holidays and weekends - especially holiday weekends - as attractive timeframes in which to target potential victims, including small and large businesses," CISA says.
"In some cases, this tactic provides a head start for malicious actors conducting network exploitation and follow-on propagation of ransomware, as network defenders and IT support of victim organizations are at limited capacity for an extended time," the agency says.
Tim Wade, former security and technical manager for the U.S. Air Force and the technical director at security company Vectra AI, notes: "With fewer staff plugged in over a long weekend, the risk of accidental discovery to an adversary is likely going to be diminished, particularly among organizations that have an overreliance on preventative security and haven't fully funded operational security activities that detect and hunt malicious behaviors."
CISA suggests organizations consider the risk of a possible disruption to backup processes during weekends or holidays.
Jake Williams, formerly of the National Security Agency's elite hacking team and currently CTO at BreachQuest, notes that most ransomware attacks can be easily discovered before encryption takes place by following the guidance from CISA and taking a few preventive steps.
"This is especially true for reviewing logs. Threat actors could certainly perform lateral movement while staying out of logs, but with the plethora of potential victims with horrible cyber hygiene, there's currently no need to do so," he says. "Extremely basic levels of cybersecurity hygiene and monitoring are enough to achieve early detection of today's ransomware adversaries."
Bill O'Neill, vice president of public sector at the cloud security firm ThycoticCentrify, points out that timing an attack to occur over a long weekend could have one of two outcomes. The victim could refuse to pay the ransom and let the attacker publicly release any stolen data over the holiday weekend, to limit reputational damage.
Conversely, the victim could opt to pay the ransom for the same reason - to have the attack made public before people return to work and start paying attention to the news, he says.
In addition to the July 4 Kaseya attack, CISA cited the DarkSide ransomware gang's attack on Colonial Pipeline Co., which led the company to shut down fuel shipments to much of the East Coast.
A few weeks later, over the Memorial Day weekend, the Brazilian-based meat processor JBS was hit by a REvil ransomware attack affecting U.S. and Australian meat production facilities and resulting in a complete production stoppage.