JBS, a meat processing company, was the victim on Friday before Memorial Day weekend. It was Kaseya, an IT management software company, and over a thousand other businesses. While it remains to be seen if Labor Day will also see a ransomware crisis, one thing is certain: Hackers love holidays.
Really, ransomware hackers love regular weekends, too. But how long is it? It's when everyone is out having fun with their friends and family, and studiously avoiding any office-related business. This is the best stuff. This trend is not new. However, the FBI and Cybersecurity and Infrastructure Security Ag issued a joint warning this week that highlighted how grave the threat has become.
It is easy to see why attackers are attracted. Ransomware can take some time to spread throughout a network. Hackers work to increase privileges to ensure maximum control over all systems. The more damage hackers can cause, the longer they take to get noticed. According to Brett Callow, Emsisoft's threat analyst, ransomware is deployed by threat actors when there is less chance of people pulling the plugs. There is less chance that the attack will be detected and stopped.
Even if the problem is solved quickly, many people responsible for it are likely to be poolside or more difficult to reach than on a regular Tuesday afternoon.
Advertisement
It makes sense, intuitively, that defenders might be less attentive during holidays due to a decrease in staff, according to Katie Nickels, director intelligence at security company Red Canary. It may be harder for defenders and emergency responders to quickly respond to a major incident that occurs on a holiday.
These major incidents are what likely caught CISAs and FBI's attention. In addition to the JBS, Kaseya and Kaseya incidents the catastrophic Colonial Pipeline attack occurred over Mothers Day weekend. This was not a three-day weekend but it was still scheduled to cause maximum inconvenience. Although they didn't have any threat of a similar attack occurring over Labor Day weekend as reported by the agencies, it shouldn't surprise that one would.
Ransomware is a constant threat. There are many small businesses that at any time, in response to headline-grabbing oil shortages, scrambling for bitcoins to cybercriminals. In 2020, victims reported 2,474 ransomware attacks to the FBI's Internet Crime Complaint Center. This is a 20% increase on the previous year. According to IC3 data, hacker demands tripled within the same time frame. These attacks were not all focused on three-day weekends or Hallmark holidays.
CISA and FBI both acknowledge that weekend crooks are more likely to use weekends as a getaway. Callow noted that submissions to ID Ransomwarea security researcher Michael Gillespie's service that allows you to upload ransom files or ransom notes to figure out what hit you, tend to spike on Mondays when victims return to their offices to find their data encrypted.
Hackers can also use strategic timing to their advantage. Callow states that attacks on schools are less common in the summer and late spring because there is less urgency for recovery. North Korea's Lazarus Group stole $81 million from Bangladesh Bank. They did this to capitalize on differences between weekend schedules in the US and Bangladeshi. In the latter, Friday and Saturday are the same days. The Lunar New Year is a holiday that spans much of Asia.
Advertisement
A few large ransomware gangs, including Ragnarok, DarkSide and REvil, have been disbanded or gone offline in recent months. Anne Neuberger, the Deputy National Security Advisor, stated at a Thursday press conference that ransomware has been decreasing in recent years. Security researchers warn against any relief. Nickels says that ransomware groups such as Lockbit 2.0, Conti and Pysa continue to cause serious damage to organizations. Even if one or more ransomware families is eliminated, it's not impossible to find another to replace them.
Preparing for a hack is not a matter of putting down the hatches on Friday afternoon. It's too late. Attackers tend to hide in compromised systems and strike when it is most convenient. It is best to be vigilant several weeks before ransomware strikes. Callow says that most house break-ins happen in the middle of day. However, you should not lock your doors at night.
There are steps individuals and companies can take to protect themselves against hacking, whether they're working over the weekend or not. CISA and FBI recommend that you avoid clicking on any suspicious links. Create an offline backup of all your data. Use strong passwords. Make sure that your software is current. Use two-factor authentication. Remote Desktop Protocol is a Microsoft product that has been a popular entry point for hackers. Use caution. Keep an extra person on standby for this weekend just in case.
This story originally appeared on wired.com.