“The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) have observed an increase in highly impactful ransomware attacks occurring on holidays and weekends—when offices are normally closed—in the United States.”
These holiday cyberattacks have been observed as recently as the Fourth of July holiday in 2021.
However, it is important to note that the FBI and CISA do not currently have any specific threat reporting indicating a cyberattack will occur over the upcoming Labor Day holiday. However, they have shared information in this Joint Cybersecurity Advisory to provide awareness so companies can be especially diligent in their network defense practices in the run up to this holiday weekend.how legal and compliance teams can work alongside infosec professionals to counter the devastating effects of cybercrime.
How to Prepare
Likewise, Gradient Cyber has been in the process of notifying, educating, and helping our customers properly prepare for the possibility of a major ransomware or other cyberattack. Along with the FBI and CISA, we encourage all entities “to examine their current cybersecurity posture and implement the recommended best practices and mitigations to manage the risk posed by all cyber threats, including ransomware.”
The Joint Cybersecurity Advisory identifies both immediate and long-term actions organizations can take to protect against the rise in ransomware, including:
-
Making an offline backup of your data. Also, backups should not be connected over shared drives.
-
Avoiding clicking on suspicious links.
-
Securing and monitoring Remote Desktop Protocol endpoints.
-
Using strong passwords.
-
Using multi-factor authentication.
What to Look for Over the Weekend
Gradient Cyber recommends that companies conduct their own threat hunting or have a Security Operations as a Service (SOCaaS) provider conduct threat hunting on their networks searching for indicators or signs of threat actor activity to stop attacks before they occur or intercede while cyberattacks are in progress.
The Joint Cybersecurity Advisory notes that preparation is only the beginning: “Threat actors can be present on a victim network long before they lock-down a system, alerting the victim to the ransomware attack. Threat actors often search through a network to find and compromise the most critical or lucrative targets. Many will exfiltrate large amounts of data. Threat hunting encompasses the following elements of understanding the IT environment by developing a baseline through a behavior-based analytics approach, evaluating data logs, and installing automated alerting systems.”
Per this Security Affairs story “Experts suggest focusing on: Understand the IT environment’s routine activity and architecture by establishing a baseline; review data logs; employ intrusion prevention systems and automated security alerting systems; and deploy honeytokens.
Some Indicators of suspicious activity that organizations should look for include:
-
Unusual inbound and outbound network traffic,
-
Compromise of administrator privileges or escalation of the permissions on an account,
-
Theft of login and password credentials,
-
Substantial increase in database read volume,
-
Geographical irregularities in access and log in patterns,
-
Attempted user activity during anomalous logon times,
-
Attempts to access folders on a server that are not linked to the HTML within the pages of the web server, and
-
Baseline deviations in the type of outbound encrypted traffic since advanced persistent threat actors frequently encrypt exfiltration.”
Recent Cyberattacks to Learn From
Some recent, highly publicized cyberattacks serve as good case studies or history lessons including the cyberattacks against Colonial Pipeline , JBS, and Kaseya.
The FBI and CISA shared a few examples of attacks orchestrated by ransomware gangs ahead of this weekend’s holiday:
-
In May 2021, leading into Mother’s Day weekend, malicious cyber actors deployed DarkSide ransomware against the IT network of a U.S.-based critical infrastructure entity in the Energy Sector, resulting in a week-long suspension of operations. After DarkSide actors gained access to the victim’s network, they deployed ransomware to encrypt victim data and—as a secondary form of extortion—exfiltrated the data before threatening to publish it to further pressure victims into paying the ransom demand.
-
In May 2021, over the Memorial Day weekend, a critical infrastructure entity in the Food and Agricultural Sector suffered a Sodinokibi/REvil ransomware attack affecting U.S. and Australian meat production facilities, resulting in a complete production stoppage.
-
In July 2021, during the Fourth of July holiday weekend, Sodinokibi/REvil ransomware actors attacked a U.S.-based critical infrastructure entity in the IT Sector and implementations of their remote monitoring and management tool, affecting hundreds of organizations—including multiple managed service providers and their customers.
Summary
We all want to enjoy our 3-day, Labor Day weekend. But for many with IT and cybersecurity responsibilities, that might take some preparation. Take stock of the preparations above, and know who gets called over a holiday weekend, especially if a lot of your staff is off or away on holiday.
Sources
-
https://us-cert.cisa.gov/sites/default/files/publications/AA21-243A-Ransomware_Awareness_for_Holidays_and_Weekends.pdf
-
https://www.cisa.gov/sites/default/files/publications/Cyber Essentials Toolkit 5 20201015_508.pdf
-
https://us-cert.cisa.gov/ncas/tips/ST04-014
-
https://www.ic3.gov/Media/Y2018/PSA180927
-
https://us-cert.cisa.gov/ncas/tips/ST04-006
-
https://us-cert.cisa.gov/ncas/tips/ST04-002
-
https://us-cert.cisa.gov/ncas/tips/ST05-012
-
https://securityaffairs.co/wordpress/121709/cyber-crime/fbi-cisa-ransomware-holidays-weekends.html
-
https://www.bloomberg.com/news/articles/2021-06-04/hackers-breached-colonial-pipeline-using-compromised-password
-
https://www.bbc.com/news/business-57423008
-
https://securityaffairs.co/wordpress/119759/cyber-crime/kaseya-attack-impacted-1500-businesses.html
