CISA, FBI Warn of Increase in Ransomware Attacks on Holidays

The Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) are warning that ransomware actors are deliberately launching attacks during the holidays and weekends.

In a joint alert, the two agencies note that previous U.S. holidays such as the Fourth of July weeekend in 2021 were marked by an increase in cyber-incidents involving ransomware.

They also note that they currently have no indication that a cyberattack will occur over the upcoming Labor Day holiday, but encourage organizations to review their cybersecurity posture and apply recommended best practices to ensure they are protected.

“However, the FBI and CISA are sharing […] information to provide awareness to be especially diligent in your network defense practices in the run up to holidays and weekends, based on recent actor tactics, techniques, and procedures (TTPs) and cyberattacks over holidays and weekends during the past few months,” according to the advisory.

Cybercriminals, CISA and the FBI note, may choose to launch a ransomware attack during a holiday or a weekend because it gives them a head start for network exploitation and the propagation of ransomware, given that network defenders and IT support at the victim are at limited capacity.

Some of the previously observed attacks that employed this tactic included the DarkSide ransomware attack on Colonial Pipeline, and the Sodinokibi/REvil ransomware attacks on meat-packing giant JBS USA and IT management software maker Kaseya.

In 2020, the FBI’s Internet Crime Complaint Center (IC3) received 791,790 complaints for all types of internet crimes, with reported losses exceeding $4.1 billion. A total of 2,474 ransomware incidents were reported in 2020.

[ Related: Colonial Pipeline CEO Explains $4.4M Ransomware Payment ]

Between January and July 31, 2021, the IC3 received a total of 2,084 ransomware complaints, with the reported losses exceeding $16.8 million. The ransomware variants more frequently reported over the past month were Conti, PYSA, LockBit, RansomEXX/Defray777, Zeppelin, and Crysis/Dharma/Phobos, the FBI says.

“Cyber criminals have increasingly targeted large, lucrative organizations and providers of critical services with the expectation of higher value ransoms and increased likelihood of payments. Cyber criminals have also increasingly coupled initial encryption of data with a secondary form of extortion, in which they threaten to publicly name affected victims and release sensitive or proprietary data exfiltrated before encryption, to further encourage payment of ransom,” the CISA/FBI alert reads.

The agencies also note that phishing and brute force attacks on unsecured remote desktop protocol (RDP) remain the most commonly used infection techniques employed by ransomware operators and recommend that organizations “engage in preemptive threat hunting on their networks” to make sure they can prevent attacks before they occur.

CISA and the FBI also encourage organizations to review and apply the ransomware prevention best practices and strongly advise against paying a ransom.

Related: FBI Confirms REvil Ransomware Involved in JBS Attack

Related: Colonial Pipeline CEO Explains $4.4M Ransomware Payment