Threat players recently have used long holiday weekends — when many staff are taking time off — as a prime opportunity to ambush organisations.
Though lots of people might be taking some time off over the Labor Day weekend, threat players likely won’t — which means organisations should remain particularly vigilante about the potential for ransomware attacks, the federal government has warned.
Referencing precedents, the FBI & CISA put out a joint cyber-security advisory (PDF) on Tues. noting that ransomware players often ambush organisations on holidays & weekends when offices are normally closed, making the upcoming 3-day weekend a prime opportunity for threat activity.
While the agencies stated they haven’t discovered “any specific threat reporting indicating a cyber-attack will occur over the upcoming US Labor Day holiday, ”they are working on the idea that it’s better to be safe than sorry given that some major cyber-attacks have occurred over holidays & weekends during the past few months.
Attackers recently have taken advantage that many extend holiday weekends to 4 days or more, leaving a skeleton crew behind to oversee IT & network infrastructure & security, security professionals observed.
“Modern cyber criminals use some pretty sneaky tactics to maximise the damage & collect the most money per attack,” noted Erich Kron, Security Awareness Advocate at security firm KnowBe4, in an e-mail.
Because organisations are generally short-staffed over holiday weekends, the swiftness with which they can respond to attacks that occur during these times “will be impacted,” he explained.
That’s mainly because the absence of key personnel make it less likely that organisations that are targeted can quickly detect & contain attacks once launched, observed Chris Clements, VP of Solutions Architecture at security firm Cerberus Sentinel.
“This additional time gives attackers the ability to exfiltrate more sensitive data or lock up more computers with ransomware than they otherwise might have been able to,” he outlined.
Because of this vulnerability & increased exposure to attacks, FBI & CISA are encouraging organisations “to examine their current cyber-security posture & implement the recommended best practices & mitigations to manage the risk posed by all cyber threats, including ransomware,” according to the advisory.
The agencies listed a number of attacks that occurred over holiday weekends in the last several months as reason for concern. The now-infamous Colonial Pipeline attack by now-defunct ransomware group Dark Side that crippled the oil pipeline on the US East Coast for some weeks after occurred in the lead-up to US Mother’s Day weekend, agencies observed.
US Memorial Day
Then later in May, over the US Memorial Day weekend, the REvil ransomware group targeted the world’s largest meat distributor JBS Foods, forcing the shutdown of some operations in both the US & Australia, & causing disruption in the global food supply chain. Like Dark Side, REvil also has since closed up shop.
Another major ransomware attack by REvil occurred over the US 4th of July holiday weekend — this time exploiting zero-day vulnerabilities in the Kaseya Virtual System/Server Administrator (VSA) platform. The mess created by the massive supply-chain attack that affected numerous software-as-a-service (SaaS) & on-premises Kaseya customers that use the system & is still being cleaned up.
Though the 2 ransomware players who launched these previous attacks are now gone, there are still plenty who are active, US Federal Agencies warned.
The FBI’s Internet Crime Complaint Centre (IC3), which logs cyber incident complaints for various types of Internet crime, said attacks from the following ransomware variants have been the most frequently reported to the FBI over the last month: Conti, PYSA, LockBit, RansomEXX/Defray777, Zeppelin & Crysis/Dharma/Phobos.
Just this week researchers at Sophos also reported on the emergence of yet another ransomware, LockFile, which uses a never-before-seen type of “intermittent” encryption tactic to evade detection.
Because threat players often ‘stake out’ victims and maintain a presence on a target network before the attack occurs, the FBI & CISA advise that one-way organisations can mitigate attacks is to engage in “pre-emptive threat hunting,” they observed.
“Threat hunting is a proactive strategy to search for signs of threat actor activity to prevent attacks before they occur or to minimise damage in the event of a successful attack,” the agencies concluded in their advisory.