High days and holidays are prime time for ransomware. This should come as no surprise to anyone – but many companies remain surprisingly unaware or at least unprepared.
On August 31, 2021 – just ahead of Labor Day – a joint alert from the FBI and CISA warned that ransomware attacks will likely increase on specific holidays and generally throughout the entire holiday season. The alert specifically cited the DarkSide Colonial Pipeline attack (Mother’s Day weekend), the REvil JBS attack (Memorial Day weekend), and the Sodinokibi/REvil Kaseya attack (Fourth of July holiday weekend).
We are now approaching the Thanksgiving holiday. “We absolutely expect attacks focused on Thanksgiving Day,” Israel Barak, CISO at Cybereason, told SecurityWeek. “It happens at almost every holiday and long weekend. We can assume with 100% certainty that there will be an increase in cyberattacks during the Thanksgiving weekend.”
Such increases will occur on all specific holidays, but also for the entire holiday season that starts with Thanksgiving and continues into the New Year. The reasons are simple and obvious, but slightly different between the holidays and the holiday season.
On holidays, the risk is across all industries. Fewer staff are operational. “Cybercrime groups take advantage of the longer than usual incident response times caused by staff availability issues,” explained Barak. “Staff come back after the long weekend and find the entire environment has been encrypted and there’s a ransom note waiting for them.”
Across the longer holiday season, the threat is increased for slightly different reasons – and especially for the retail (and retail-related) and transport sectors. “For many of these companies, this is the highlight of the year when they make the most money,” he continued. “Any minor disruption can have a major impact on the overall yearly performance, and as a result, there is an expectation or perception within the cyber crime ecosystem that these companies will have a higher propensity to pay a ransom fee more quickly.”
So, on holidays attacks increase because the attackers have the time and opportunity to embed and enact their plans against prime targets, while the holiday season simply promises easier and more likely payouts. The combination means that the holiday season is also cybercrime season.
None of this should be news. But Cybereason wanted to see if industry is making adequate preparation and taking adequate precautions. It queried more than 1200 security professionals working at organizations that have previously suffered a successful ransomware attack on a holiday or weekend. The results highlighted in a report (PDF eBook) on the survey are surprising and demonstrate a disconnect between knowledge of the threat and senior leaders’ perception of the risk.
The respondents had all suffered from a successful holiday or weekend ransomware attack. Sixty percent of respondents said it resulted in longer periods to assess the scope of the attack, 50% reported it took more time to mount an effective response, and 33% indicated it required a longer period to fully recover from the attack. Holiday attacks are easier to implement but lead to more difficult recovery.
Eighty-six percent of the respondents said they had missed a holiday or weekend activity while responding to a ransomware incident, while 70% confessed to being intoxicated when they did so.
But despite this personal experience, nearly half of the respondents feel they still do not have the right tools in place to manage a new attack; and 24% do not have a contingency plan to ensure a rapid response over holidays and weekends.
This disconnect between knowledge of the threat and taking adequate steps to avoid or mitigate the risk is the most concerning aspect of the survey. Barak believes there are two primary reasons for the disconnect. The first is a combination of the optimism bias (‘threats don’t target me’) and the mistaken belief that lightning doesn’t strike twice.
“This mostly affects SMBs,” he told SecurityWeek. “What companies ignore is that a lot of times the attacks aren’t specifically targeted, but are the result of automated scans looking for low hanging fruit that can easily be breached. Once found, the attackers tend not to discriminate – all are potential sources of income – and the human-led operation begins.” Such attacks occur all year round, but will increase during the holiday season.
“The second reason,” he continued, “is a misconception that cyber extortion insurance will pick up the bill. From earlier research, we found in 48% of cases, the insurance covered only a portion of the damages from the attack. Insurance cannot recover lost data, and there are numerous indirect costs not included.” Insurance should be treated as an addition to cybersecurity, not a replacement for it.
The message from Cybereason’s research is clear: simply being aware that ransomware attacks will almost certainly increase over the next few months is not enough. Industry must put in place specific contingency plans to cover staff shortages and recover from a successful attack.