The Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) have given an alert to all public and private sector institutions regarding the elevated risk of ransomware attacks during times when offices are usually closed, like long holiday weekends.
Although a lot of employees are going to be having a long weekend break because of Labor Day, this is a period when threat actors are generally very active. The small staff numbers at the time of holidays and weekends make it more unlikely that their attacks will be discovered and hindered. The CISA and the FBI revealed in the alert that they have seen a rise in extremely impactful ransomware attacks happening on holiday seasons and weekends, and gave several cases of threat actors performing attacks during holiday breaks in the United States in 2021.
Lately, the Sodinokibi/REvil ransomware actors carried out an attack on the Kaseya remote monitoring and management tool during the Fourth of July 2021 weekend break. The attack impacted lots of companies which include countless managed service providers and their downstream clients.
At the time of the Memorial Day weekend in May 2021, the same attackers performed a ransomware attack on JBS Foods, which affected the firm’s food production amenities in the United States, which stopped all production. JBS Foods paid for the $11 million ransom demand to obtain the keys for decrypting files and avoid the exposure of information stolen during the attack.
Before the Mother’s Day weekend break in May, the DarkSide ransomware gang performed its attack on the Colonial Pipeline that caused the closing of the fuel pipeline serving the Eastern Seaboard for one week. Colonial Pipeline had paid a $4.4 million ransom payment to speed up attack recovery.
The ransomware threat actors associated with the cyberattacks on Colonial Pipeline, JBS Foods, and Kaseya have stopped their operations, however, threat actors seldom stay inactive for very long. It is typical for them to appear with a new ransomware campaign after a time of apparent inactivity. There are additionally numerous other ransomware attackers that are presently very active that may attempt to make the most of the absence of crucial employees over the holiday break.
The ransomware attackers responsible for the Conti, LockBit, PYSA, RansomEXX/Defray777, Zeppelin, and Crysis/Phobos/Dharma ransomware variants were all active throughout the last month and attacks concerning those ransomware variants have usually been reported to the FBI in the last 4 weeks.
Though neither CISA nor the FBI has found any particular threat intelligence to suggest ransomware or another cyberattack will happen through the Labor Day weekend, according to the attack trends to date this 2021, there is a greater risk of a big cyberattack taking place.
As a result, the FBI and CISA are informing security teams to be particularly heedful and to make sure that they are thorough in their network defense routines, take part in preemptive threat hunt on their sites, adhere to recommended cybersecurity and ransomware guidelines, and carry out the proposed mitigations to minimize the risk of ransomware attacks and other cyberattacks.
Those mitigations consist of:
- Create an offline backup copy of files and testing backups to make certain it’s possible to restore information
- Not visiting suspicious links in email messages
- Protect and keep track of RDP connections
- Upgrade operating systems and software applications and check vulnerabilities
- Use tough passwords
- Utilize multi-factor authentication
- Protect networks by employing segmentation, blocking traffic, and scanning ports
- Safeguard user accounts
- Create an incident response program
Suggested guidelines, mitigations, and information are detailed in the advisory, which is accessible on this page.