Public holidays and weekends are proving to be the favorite time of cybercriminals to carry out ransomware attacks. This year, three ransomware attacks were carried out under the garb of festivities and relaxation. The FBI and CISA say organizations can’t afford to let their guard down on the upcoming Labor Day weekend.
The Cybersecurity and Infrastructure Security Agency (CISA) and the FBI have taken it upon themselves to raise awareness on the prevalence of increased cybercriminal activity during the holidays. With Labor DayOpens a new window coming up on September 6, the two federal agencies have issued a joint advisory alerting organizations and individuals to remain vigilant and “especially diligent†in their network security efforts.
CISA and the FBI urged organizations not to slacken while employees are off enjoying the extended Labor Day weekend. The two agencies saidOpens a new window they have “observed an increase in highly impactful ransomware attacks occurring on holidays and weekends — when offices are normally closed — in the United States,†citing the Fourth of July holiday this year.
The ransomware attack on the software supply chain of IT solutions vendor Kaseya was also carried out on the Fourth of July weekend by the REvil gang. As it turns out, this particular attack impacted nearly 1,500 downstream organizations from 22 countries and is possibly one of the, if not the biggest ransomware attacks ever.
On the Memorial Day weekend this year, the REvil gang also targeted JBS Foods, the world’s largest processed meat supplier. JBS Foods is important to the United States since it meets almost a quarter of the processed meat demand in the country.
Just a few weeks earlier, the DarkSide ransomware gang also targeted Colonial Pipeline on the Mother’s Day weekend. Technically, Mother’s Day isn’t a holiday per se but it goes to show that timing plays a highly critical role in carrying out such attacks. The reverberations of the Colonial Pipeline hack could be felt as far as the East coast of the U.S. for a better part of a week.
Both CISA and the FBI clarified that they have no confirmation of an imminent threat on or over the Labor Day weekend. However, if past trends and attack timings serve as any indication, the upcoming weekend may turn out to be a hotbed of malicious cyber activity including ransomware attacks.
What You Should Know About Ransomware
The broader picture
Ransomware attacks in general are on the rise. The number of ransomware incidents in 2020 were 2,474, according to the FBI’s Internet Crime Complaint Center (IC3Opens a new window ). This number already crossed the 2,000 mark in the first seven months of 2021. With 2,084 ransomware incidents between January and July 2021, we are already over 84% of the total ransomware incidents noted in the whole of 2020.
Subsequently, IC3 also noted losses amounting to $16.8 million between January and July , a 20% rise year-over-year. Moreover, the cost of an average ransomware payment surged by 82%Opens a new window to a record-high $570,000 in the first half of 2021 as compared to 2020.
And these are just the reported ones. There are multiple instances of ransomware payouts and even attacks going unreported.
See Also: 14 Insights on How To Prevent a Ransomware Attack and Avoid Being the Next Headline
How ransomware attacks are carried out?
Phishing and brute force attacks against unsecured remote desktop protocol (RDP) endpoints are the two most popular attack vectors to gain a foothold in an organization’s network. Other methods include:
- Deploying a dropper malware
- Exploiting network, software or operating system vulnerabilities
- Exploiting managed service providers that have access to customer networks
- Using stolen credentials
Once in, cybercriminals evaluate the targets in terms of what they stand to lose and their capacity to fork out ransom demands, and most importantly the possibility of carrying out follow-up attacks. “Cyber criminals have increasingly targeted large, lucrative organizations and providers of critical services with the expectation of higher value ransoms and increased likelihood of payments,†CISA and FBI said.
Over the course of the last two years, ransomware gangs have also started incorporating data exfiltration into their modus operandi besides encryption. This technique, originally pioneered by the now retired Maze ransomware gang, has become commonplace in the present-day cybersphere. Double attack extortion entails threats to publicly release sensitive, exfiltrated data to arm-twist victims into bending to demands.
Ransomware strains that were most frequently reported to the FBI are Conti, PYSA, LockBit, RansomEXX/Defray777, Zeppelin, Crysis/Dharma/Phobos.
“Ransomware continues to be a national security threat and a critical challenge, but it is not insurmountable,†said Eric GoldsteinOpens a new window , executive assistant director for cybersecurity for CISA. Goldstein’s comment possibly has something to do with critical U.S. infrastructure being targeted in recent attacks.
He adds, “With our FBI partners, we continue to collaborate daily to ensure we provide timely, useful, and actionable advisories that help industry and government partners of all sizes adopt defensible network strategies and strengthen their resilience. All organizations must continue to be vigilant against this ongoing threat.â€
What You Should Do to Thwart Ransomware
CISA recommends the following mitigation measures against ransomware:
- Regularly backup your data offline
- Refrain from clicking suspicious and even unknown links
- Minimize the use of RDP and other risky services and continuously monitor when in use
- Disable or block Server Message Block (SMBOpens a new window ) protocol
- Perform vulnerability checks
- Keep the software and OS updated
- Use strong passwords and implement multi-factor authentication (MFA)
- Limit exposure through network segmentation, traffic filtering, and port scanning
Most importantly, the FBI and CISA suggest “organizations engage in preemptive threat hunting on their networks.†The notion being: kill off the network infiltration before an attack can actually materialize.Â
As noted above, ransomware strains can infiltrate a network, move laterally, and search for the weakest link before launching an attack. They can do this covertly and go undetected for months. Case in point: SolarWinds hackers who are believed to have accessed the company’s network monitoring software through a backdoor. The hackers, widely believed to be APT29Opens a new window , remained undetected for months until the cyber-espionage operations were exposed.
So it is crucial to not only plan for incident response, but also to consistently monitor and hunt for threats inside the organizational network. Sometimes, weaknesses may stem not from the cybersecurity posture of systems and networks, but from people.
Vishal SalviOpens a new window , CISO at IT consulting company Infosys told Toolbox, “One of the biggest reasons why several ransomware activities have successfully compromised security is because they target the weakest link – people. Through several phishing campaigns, they easily breach security of systems and networks simply because of lack of awareness among the employees.â€
Wrapping Up
Additionally ransomware attacks aren’t going away anytime soon. The prevalence of ransomware as an attack vector is now encapsulated under global geopolitics, as the July summit betweenOpens a new window POTUS Joe Biden and Russian president Vladimir Putin indicates. Interpol even called on global police agenciesOpens a new window from around the world to band together to keep tabs on, and ultimately obstruct the emergence of a ransomware pandemic.
Until they do, organizations need to buck up. And clearly, the approach to organizational security cannot be a one-off event, especially in the face of a heightened threat environment. Maintenance of a top notch cybersecurity hygiene involves cementing disjointed pieces overlaid by a thriving cybersecurity culture. So even if an attack does take place, its impact can be minimized.
Let us know if you enjoyed reading this story on LinkedInOpens a new window , TwitterOpens a new window , or FacebookOpens a new window . We would love to hear from you!