Share this article on:
The Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) have issued a warning to all public and private sector organizations about the increased risk of ransomware attacks at times when offices are normally closed, such as long holiday weekends.
While many employees will be having a long weekend due to Labor Day, this is a time when threat actors are usually highly active. The low staff numbers during holidays and weekends make it less likely that their attacks will be detected and blocked. The CISA and the FBI explained in the warning that they have observed an increase in “highly impactful ransomware attacks occurring on holidays and weekends,” and provided multiple examples of threat actors conducting attacks over holiday weekends in the United States in 2021.
Most recently, the Sodinokibi/REvil ransomware actors conducted an attack on the Kaseya remote monitoring and management tool over the Fourth of July 2021 holiday weekend. The attack affected hundreds of organizations including many managed service providers and their downstream customers.
In May 2021, during the Memorial Day weekend, the same threat actors conducted a ransomware attack on JBS Foods, which affected the company’s food production facilities in the United States, causing all production to stop. JBS Foods paid the $11 million ransom for the keys to decrypt files and prevent the release of data stolen in the attack.
Prior to that, over the Mother’s Day weekend in May, the DarkSide ransomware gang conducted its attack on Colonial Pipeline, which resulted in the fuel pipeline serving the Eastern Seaboard being shut down for a week. Colonial Pipeline paid a $4.4 million ransom payment to accelerate recovery from the attack.
The ransomware threat actors behind the cyberattacks on Kaseya, Colonial Pipeline, and JBS Foods have shut down their operations, but threat actors rarely remain inactive for long. It is common for them to remerge with a new ransomware operation after a period of apparent dormancy. There are also many other ransomware threat actors that are currently highly active that may try to take advantage of the absence of key staff over the holiday weekend.
The ransomware actors behind the Conti, PYSA, LockBit, RansomEXX/Defray777, Zeppelin, and Crysis/Dharma/Phobos ransomware variants have all been active over the course of the past month and attacks involving those ransomware variants have frequently been reported to the FBI over the past 4 weeks.
While neither CISA nor the FBI have discovered any specific threat intelligence to indicate a ransomware or other cyberattack will occur over the Labor Day weekend, based on the attack trends so far this year, there is an increased risk of a major cyberattack occurring.
Consequently, the FBI and CISA are advising security teams to be especially vigilant in the run up to the Labor Day weekend, and to ensure that they are diligent in their network defense practices, engage in preemptive threat hunting on their networks, follow recommended cybersecurity and ransomware best practices, and implement the recommended mitigations to reduce the risk of ransomware and other cyberattacks.
Those mitigations include:
- Make an offline backup copy of data and testing backups to ensure data recovery is possible
- Not clicking on suspicious links in emails
- Secure and monitor RDP connections
- Update operating systems and software and scan for vulnerabilities
- Ensure strong passwords are set
- Ensure multi-factor authentication is implemented
- Secure networks by implementing segmentation, filtering traffic, and scanning ports
- Secure user accounts
- Ensure an incident response plan is developed
Recommended best practices, mitigations, and resources are detailed in the alert, which can be found on this link.