CISA and the FBI released an advisory warning of potential cyberattacks that may occur over the coming Labor Day weekend, noting that in recent years hackers have launched dozens of devastating attacks on long weekends.
They urged organizations to take steps to secure their systems, reduce their exposure and potentially “engage in preemptive threat hunting on their networks to search for signs of threat actors.”
CISA said it does not have specific threat intelligence indicating attacks are imminent for the coming Labor Day weekend, but explained that threat actors know IT teams are limited on holiday weekends and listed many attacks on holidays this year.
Eric Goldstein, executive assistant director for Cybersecurity at CISA, said ransomware “continues to be a national security threat” but noted that the challenges presented by potential attacks are “not insurmountable.”
“With our FBI partners, we continue to collaborate daily to ensure we provide timely, useful and actionable advisories that help industry and government partners of all sizes adopt defensible network strategies and strengthen their resilience,” Goldstein said. “All organizations must continue to be vigilant against this ongoing threat.”
He urged organizations not to pay ransoms in the event of a ransomware attack and said CISA or local FBI field offices should be contacted before any decisions are made.
CISA noted that there is generally an increase in “highly impactful ransomware attacks” that occur on holidays and weekends, noting the devastating Kaseya attack that took place on July 4.
They cited the Mother’s Day weekend attack in May by the DarkSide ransomware group on Colonial Pipeline and the Memorial Day weekend attack on major meat processor JBS by the Sodinokibi/REvil ransomware group. REvil then hit Kaseya on July 4, continuing the holiday attack trend.
“The FBI’s Internet Crime Complaint Center, which provides the public with a trustworthy source for reporting information on cyber incidents, received 791,790 complaints about all types of internet crime — a record number — from the American public in 2020, with reported losses exceeding $4.1 billion,” the advisory said.
“This represents a 69% increase in total complaints from 2019. The number of ransomware incidents also continues to rise, with 2474 incidents reported in 2020, representing a 20% increase in the number of incidents and a 225% increase in ransom demands. From January to July 31, 2021, the IC3 has received 2084 ransomware complaints with over $16.8M in losses, a 62% increase in reporting and a 20% increase in reported losses compared to the same time frame; in 2020.”
The FBI added that over the last month, the most frequently reported attacks involved ransomware groups like Conti, PYSA, LockBit, RansomEXX/Defray777, Zeppelin and Crysis/Dharma/Phobos.
According to the notice, more ransomware groups are also coupling the encryption of IT assets with the secondary extortion of organizations with stolen sensitive or proprietary data. CISA added that ransomware groups are increasingly deleting backups and adding other tactics to make attacks more devastating.
The most common initial access vectors involve phishing and brute-forcing unsecured remote desktop protocol endpoints, according to CISA. Ransomware gangs are also using dropper malware, exploiting vulnerabilities and taking advantage of stolen credentials.
At times, ransomware actors spend weeks inside a system before launching an attack — typically on weekends or holidays — so CISA urged IT leaders to search their systems for potential points of access proactively. Suspicious traffic patterns and strange access locations may help tip-off IT teams of the potential for an attack, CISA noted.
IT leaders, like ThycoticCentrify vice president Bill O’Neill, said malicious actors often know that long weekends mean there will be a delayed response or an unprepared ‘skeleton crew’ that simply doesn’t have the resources to monitor for simultaneously and deter threats fast enough.
“Or threats will be monitored, trigger automatic alerts, and enforce certain lockdowns, but often those still require human action for mitigation and additional security controls,” O’Neill said.
“And because most organizations would prefer to have their data released immediately rather than wait out the duration of a holiday weekend (and incur continued reputational damage), they’re also more likely to negotiate with attackers and pay out the requested ransom to minimize long term risks associated with these attacks.”
Lookout senior manager Hank Schless added that hackers know people may be traveling and not able to access their work computer or mobile device in order to help stop an attack once they receive an alert of suspicious activity.
Attackers have already become much more advanced in how they gain entry to an organization’s infrastructure — even when teams are fully staffed up and working, Schless told ZDNet.
Jake Williams, CTO at BreachQuest, explained that most ransomware attacks seen today could be easily discovered before encryption by following the guidance from CISA.
“This is especially true for reviewing logs. Threat actors could certainly perform lateral movement while staying out of logs. Still, with the plethora of potential victims with horrible cyber hygiene, there’s currently no need to do so,” Williams said, adding that extremely basic levels of cybersecurity hygiene and monitoring are enough to achieve early detection of today’s ransomware adversaries.
Tripwire vice president Tim Erlin put it succinctly: “Attackers don’t take the weekends off, and neither should your cybersecurity.”