US authorities have warned operators of critical national infrastructure (CNI) and IT services suppliers to be alert to attempted ransomware attacks over the coming days, as the country winds down ahead of the annual Thanksgiving holiday.
In a new alert, the Cybersecurity and Infrastructure Security Agency (CISA) and its partners at the FBI said recent history suggested that during the holiday period, more persistent malicious actors may be minded to strike at a time when offices tend to be closed and IT security teams reduced to a skeleton staff.
This was the case in the summer 2021 ransomware attack on the systems of Kaseya, which unfolded over the long Independence Day weekend – an attack in which, despite being several thousand miles away and disinclined to give their employees a day off on 4 July, multiple UK organisations were impacted.
Other high-profile ransomware attacks on Colonial Pipeline and JBS, a meat supply firm, also unfolded around US holidays Mother’s Day and Memorial Day, respectively.
“Although neither the CISA nor the FBI has currently identified any specific threats, recent 2021 trends show malicious cyber actors launching serious and impactful ransomware attacks during holidays and weekends, including Independence Day and Mother’s Day weekends,” said the agencies in the joint advisory.
“The CISA and the FBI strongly urge all entities – especially critical infrastructure partners – to examine their current cyber security posture and implement best practices and mitigations to manage the risk posed by cyber threats.”
In addition to the standard anti-ransomware precautions – such as mandating multifactor authentication for remote access and admin accounts, locking down and monitoring remote desktop protocol (RDP), and training employees to spot phishing attacks and other warning signs – the CISA and the FBI are also recommending that security leaders take some time to identify appropriate cyber personnel who would be available to provide surge cover in the event of an attack taking place at such a time.
A recent study of organisations that had suffered ransomware attacks on a weekend, or a public holiday, found that 37% of UK respondents did not have specific contingencies in place at such periods to ensure a prompt response – even after having been victimised.
In the report Organisations at risk: ransomware attackers don’t take holidays, Cybereason analysts spoke with 1,200 cyber pros – 500 in the UK – and found a huge disconnect between the risk ransomware poses during periods of organisational downtime, and overall preparedness.
Almost two-thirds of UK respondents said they had needed more time to assess the scope of the impact, almost half said they needed more time to properly respond, and almost one-third said they needed more time to recover properly.
Cybereason also found that 71% of respondents indicated they had been drunk while responding to a ransomware attack on a weekend or holiday, a risk factor that is unlikely to be considered in incident response plans.
“The most disruptive ransomware attacks in 2021 have occurred over weekends and during major holidays when attackers know they have the advantage over targeted organisations,” said Lior Div, founder and CEO of Cybereason.
“Organisations are not adequately prepared and need to take additional steps to assure they have the right people, processes and technologies in place so they can effectively respond to ransomware attacks and protect their critical assets.”
More information on holiday ransomware attacks is available from the CISA, while the UK’s National Cyber Security Centre also publishes ransomware mitigation guidance, which can be found here.