Security Experts:

Connect with us

Hi, what are you looking for?


Malware & Threats

CISA, FBI Warn of Increase in Ransomware Attacks on Holidays

The Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) are warning that ransomware actors are deliberately launching attacks during the holidays and weekends.

The Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) are warning that ransomware actors are deliberately launching attacks during the holidays and weekends.

In a joint alert, the two agencies note that previous U.S. holidays such as the Fourth of July weeekend in 2021 were marked by an increase in cyber-incidents involving ransomware.

They also note that they currently have no indication that a cyberattack will occur over the upcoming Labor Day holiday, but encourage organizations to review their cybersecurity posture and apply recommended best practices to ensure they are protected.

“However, the FBI and CISA are sharing […] information to provide awareness to be especially diligent in your network defense practices in the run up to holidays and weekends, based on recent actor tactics, techniques, and procedures (TTPs) and cyberattacks over holidays and weekends during the past few months,” according to the advisory.

Cybercriminals, CISA and the FBI note, may choose to launch a ransomware attack during a holiday or a weekend because it gives them a head start for network exploitation and the propagation of ransomware, given that network defenders and IT support at the victim are at limited capacity.

Some of the previously observed attacks that employed this tactic included the DarkSide ransomware attack on Colonial Pipeline, and the Sodinokibi/REvil ransomware attacks on meat-packing giant JBS USA and IT management software maker Kaseya.

In 2020, the FBI’s Internet Crime Complaint Center (IC3) received 791,790 complaints for all types of internet crimes, with reported losses exceeding $4.1 billion. A total of 2,474 ransomware incidents were reported in 2020.

[ Related: Colonial Pipeline CEO Explains $4.4M Ransomware Payment ]

Between January and July 31, 2021, the IC3 received a total of 2,084 ransomware complaints, with the reported losses exceeding $16.8 million. The ransomware variants more frequently reported over the past month were Conti, PYSA, LockBit, RansomEXX/Defray777, Zeppelin, and Crysis/Dharma/Phobos, the FBI says.

“Cyber criminals have increasingly targeted large, lucrative organizations and providers of critical services with the expectation of higher value ransoms and increased likelihood of payments. Cyber criminals have also increasingly coupled initial encryption of data with a secondary form of extortion, in which they threaten to publicly name affected victims and release sensitive or proprietary data exfiltrated before encryption, to further encourage payment of ransom,” the CISA/FBI alert reads.

The agencies also note that phishing and brute force attacks on unsecured remote desktop protocol (RDP) remain the most commonly used infection techniques employed by ransomware operators and recommend that organizations “engage in preemptive threat hunting on their networks” to make sure they can prevent attacks before they occur.

CISA and the FBI also encourage organizations to review and apply the ransomware prevention best practices and strongly advise against paying a ransom.

Related: FBI Confirms REvil Ransomware Involved in JBS Attack

Related: Colonial Pipeline CEO Explains $4.4M Ransomware Payment

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content

Management & Strategy

Industry professionals comment on the recent disruption of the Hive ransomware operation and its hacking by law enforcement.


The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.


US government reminds the public that a reward of up to $10 million is offered for information on cybercriminals, including members of the Hive...


The Hive ransomware website has been seized as part of an operation that involved law enforcement in 10 countries.


CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.


Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...