Feds Warn of Ransomware Attacks Ahead of Labor Day

Threat actors recently have used long holiday weekends — when many staff are taking time off — as a prime opportunity to ambush organizations.

Though lots of people might be taking some time off over the Labor Day weekend, threat actors likely won’t — which means organizations should remain particularly vigilante about the potential for ransomware attacks, the federal government has warned.

Citing historical precedence, the FBI and CISA put out a joint cybersecurity advisory (PDF) Tuesday noting that ransomware actors often ambush organizations on holidays and weekends when offices are normally closed, making the upcoming three-day weekend a prime opportunity for threat activity.

While the agencies said they haven’t discovered “any specific threat reporting indicating a cyberattack will occur over the upcoming Labor Day holiday,” they are working on the idea that it’s better to be safe than sorry given that some major cyber-attacks have occurred over holidays and weekends during the past few months.
Infosec Insiders NewsletterIndeed, attackers recently have taken advantage of the fact that many extend holiday weekends to four days or more, leaving a skeleton crew behind to oversee IT and network infrastructure and security, security professionals observed.

“Modern cyber criminals use some pretty sneaky tactics to maximize the damage and collect the most money per attack,” noted Erich Kron, security awareness advocate at security firm KnowBe4, in an e-mail to Threatpost.

Because organizations are generally short-staffed over holiday weekends, the swiftness with which they can respond to attacks that occur during these times “will be impacted,” he said.

That’s mainly because the absence of key personnel make it less likely that organizations that are targeted can quickly detect and contain attacks once launched, observed Chris Clements, vice president of solutions architecture at security firm Cerberus Sentinel.

“This additional time gives attackers the ability to exfiltrate more sensitive data or lock up more computers with ransomware than they otherwise might have been able to,” he said in an email to Threatpost.

History of Holiday Attacks

Because of this vulnerability and increased exposure to attacks, FBI and CISA are encouraging organizations “to examine their current cybersecurity posture and implement the recommended best practices and mitigations to manage the risk posed by all cyber threats, including ransomware,” according to the advisory.

The agencies listed a number of attacks that occurred over holiday weekends in the last several months as reason for worry. The now-infamous Colonial Pipeline attack by now-defunct ransomware group DarkSide that crippled the oil pipeline on the East Coast for some weeks after occurred in the lead-up to Mother’s Day weekend, agencies observed.

Then later in May, over the Memorial Day weekend, the REvil ransomware group targeted the world’s largest meat distributor JBS Foods, forcing the shutdown of some operations in both the United States and Australia and causing disruption in the global food supply chain. Like DarkSide, REvil also has since closed up shop.

Another major ransomware attack by REvil occurred over the Fourth of July holiday weekend — this time exploiting zero-day vulnerabilities in the Kaseya Virtual System/Server Administrator (VSA) platform. The mess created by the massive supply-chain attack that affected numerous software-as-a-service (SaaS) and on-premises Kaseya customers that use the system and is still being cleaned up.

New Threats Emerging

Though the two ransomware players who launched these previous attacks are now gone, there are still plenty who are active, federal agencies warned.

The FBI’s Internet Crime Complaint Center (IC3), which logs cyber incident complaints for various types of Internet crime, said attacks from the following ransomware variants have been the most frequently reported to the FBI over the last month: Conti, PYSA, LockBit, RansomEXX/Defray777, Zeppelin and Crysis/Dharma/Phobos.

Just this week researchers at Sophos also reported on the emergence of yet another ransomware, LockFile, which uses a never-before-seen type of “intermittent” encryption tactic to evade detection.

Because threat actors often stake out victims and maintain a presence on a target network before the attack occurs, the FBI and CISA advise that one way organizations can mitigate attacks is to engage in “preemptive threat hunting,” they said.

“Threat hunting is a proactive strategy to search for signs of threat actor activity to prevent attacks before they occur or to minimize damage in the event of a successful attack,” the agencies said in their advisory.


Suggested articles