The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) have observed an increase in highly impactful ransomware attacks occurring on holidays and weekends—when offices are customarily closed—in the United States, as recently as the Fourth of July holiday in 2021. The FBI and CISA do not currently have any specific threat reporting indicating a cyberattack will occur over the upcoming Labor Day holiday. However, the FBI and 

CISA is sharing the information below to provide awareness to be incredibly diligent in network defense practices in the run-up to holidays and weekends, based on recent actor tactics, techniques, and procedures (TTPs) and cyberattacks over holidays and weekends during the past few months. 

The FBI and CISA encourage all entities to examine their current cybersecurity posture and implement the recommended best practices and mitigations to manage the risk posed by all cyber threats, including ransomware.

Tim Wade, Technical Director, CTO Team at Vectra, a San Jose, Calif.-based AI cybersecurity company, says, “With fewer staff plugged in over a long weekend, the risk of accidental discovery to an adversary is likely going to be diminished, particularly among organizations that have an overreliance on preventative security and haven’t fully funded operational security activities that detect and hunt malicious behaviors.”

Recent Holiday Targeting

Cyber actors have conducted increasingly impactful attacks against U.S. entities on or around holiday weekends over the last several months. The FBI and CISA do not currently have specific information regarding cyber threats coinciding with upcoming holidays and weekends. Cybercriminals, however, may view holidays and weekends—especially holiday weekends—as attractive timeframes in which to target potential victims, including small and large businesses. In some cases, this tactic provides a head start for malicious actors conducting network exploitation and follow-on propagation of ransomware, as network defenders and IT support of victim organizations are at limited capacity for an extended time.

• In May 2021, leading into Mother’s Day weekend, malicious cyber actors deployed DarkSide ransomware against the IT network of a U.S.-based critical infrastructure entity in the Energy Sector, resulting in a week-long suspension of operations. After DarkSide actors gained access to the victim’s network, they deployed ransomware to encrypt victim data and—as a secondary form of extortion—exfiltrated the data before threatening to publish it to further pressure victims into paying the ransom demand.
• In May 2021, over the Memorial Day weekend, a critical infrastructure entity in the Food and Agricultural Sector suffered a Sodinokibi/REvil ransomware attack affecting the U.S. and Australian meat production facilities, resulting in a complete production stoppage.
• In July 2021, during the Fourth of July holiday weekend, Sodinokibi/REvil ransomware actors attacked a U.S.-based critical infrastructure entity in the IT Sector and implementations of their remote monitoring and management tool, affecting hundreds of organizations—including multiple managed service providers and their customers.

“Unfortunately, it’s all too common that the majority of these attacks happen during the holidays because malicious foreign actors typically perceive that IT and security teams at a target organization are either out-of-office or significantly pared down,” says Bill O’Neill, Vice President of Public Sector at ThycoticCentrify, a Washington D.C. based provider of cloud identity security solutions. “This often leads to a delayed response or an unprepared ‘skeleton crew’ that simply doesn’t have the resources to simultaneously monitor for and deter threats fast enough. Or threats will be monitored, trigger automatic alerts, and enforce certain lockdowns, but often those still require human action for mitigation and additional security controls. And because most organizations would prefer to have their data released immediately rather than wait out the duration of a holiday weekend (and incur continued reputational damage), they’re also more likely to negotiate with attackers and pay out the requested ransom to minimize long term risks associated with these attacks.”

The FBI’s Internet Crime Complaint Center (IC3), which provides the public with a trustworthy source for reporting information on cyber incidents, received 791,790 complaints for all types of internet crime—a record number—from the American public in 2020, with reported losses exceeding $4.1 billion. This represents a 69% increase in total complaints from 2019. The number of ransomware incidents also continues to rise, with 2,474 incidents reported in 2020, representing a 20% increase in the number of incidents and a 225% increase in ransom demands. From January to July 31, 2021, the IC3 has received 2,084 ransomware complaints with over $16.8M in losses, a 62% increase in reporting a 20% increase in reported losses compared to the same time frame in 2020.  

Tom Kellermann, Head of Cybersecurity Strategy at VMware, says, “When it comes to ransomware, the best offense is defense. Cybercriminals have a long history of launching cyberattacks over long weekends, holidays and events like the Super Bowl. They are well aware of skeleton crews that are tasked to defend during these periods and how response times will be extended. Organizations must prepare in advance by implementing proactive threat hunting, as recommended by CISA.”

The following ransomware variants have been the most frequently reported to the FBI in attacks over the last month.

• Conti
• PYSA
• LockBit
• RansomEXX/Defray777
• Zeppelin
• Crysis/Dharma/Phobos

And, while CISA and the FBI have no specific credible information that there will be significantly more ransomware deployments over the holiday weekend, it’s important to remember there is a history of threat actors capitalizing on lower staffing levels to perform intrusions, says Jake Williams, Co-Founder and CTO at BreachQuest, an Augusta, Georgia-based leader in incident response.

“Most ransomware attacks we see today could be easily discovered before encryption by following the guidance from CISA. This is especially true for reviewing logs,” Williams says. “Threat actors could certainly perform lateral movement while staying out of logs, but with the plethora of potential victims with horrible cyber hygiene, there’s currently no need to do so. Elementary levels of cybersecurity hygiene and monitoring are enough to achieve early detection of today’s ransomware adversaries.”