CISA and the FBI warn of ransomware gangs’ tendency of launching attacks over holidays and weekends
Image: Roman Raizen
Catalin Cimpanu August 31, 2021

CISA and the FBI warn of ransomware gangs’ tendency of launching attacks over holidays and weekends

CISA and the FBI warn of ransomware gangs’ tendency of launching attacks over holidays and weekends

The Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) have published a joint security advisory today to warn companies about the tendency of ransomware gangs to launch attacks over weekends and national holidays.

While cybersecurity experts have been aware of this trend in ransomware attacks for the past three years, the two US cybersecurity agencies are now using their broader platforms to inform and make sure that IT teams across the world are also aware of this particular tidbit.

“The FBI and CISA highly recommend organizations continuously and actively monitor for ransomware threats over holidays and weekends,” the two said today.

“Additionally, the FBI and CISA recommend identifying IT security employees to be available and ‘on call’ during these times, in the event of a ransomware attack.”

There are fewer IT teams watching networks on weekends & holidays

As previously stated, ransomware gangs have been conducting attacks over weekends ever since they shifted from a shotgun approach to targeted attacks against high-profile organizations almost three years ago.

Criminal groups realized that they had a better chance of going undetected if they breached and moved around a company’s internal network when IT or security teams were off duty or in smaller numbers.

Even if their intrusions were detected, some alerts wouldn’t be read or noticed on time, giving attackers a head start for their intrusions.

Coupled with the fact that most ransomware gangs have updated their code to speed up encryption routines, most attacks usually take a few hours from initial breach until the company’s servers are encrypted, giving IT teams little to no time to react.

This year’s Top 3 ransomware attacks were precisely timed

The vast majority of targeted ransomware attacks covered by this reporter over the past three years have taken place over weekends, following this basic modus operandi.

While there are hundreds of major ransomware attacks to pick from as an example of this trend, CISA and the FBI chose this year’s three biggest ransomware incidents, all of which have taken place over weekends and holidays, perfectly proving their point:

  1. The Darkside ransomware gang’s attack on Colonial Pipeline, which took place on Saturday, May 7.
  2. The REvil ransomware gang’s attack on JBS Foods, which took place over the US Memorial Weekend holiday.
  3. The REvil ransomware gang’s attack on IT software maker Kaseya, which took place over the July 4 US holiday.

Now, both CISA and the FBI are urging organizations to adapt to this new operational model and change their defenses accordingly, either by leaving more IT staff over weekends or by improving ransomware defenses and detection capabilities.

Various recommendations and sensible advice are available inĀ the joint advisory.

While there are quite a few ransomware gangs active today, the FBI said that based on data from the FBI’s Internet Crime Complaint Center (IC3), the following gangs had been seen targeting US organizations over the past month:

  • Conti
  • PYSA
  • LockBit
  • RansomEXX/Defray777
  • Zeppelin
  • Crysis/Dharma/Phobos

IT and security teams should invest in technical capabilities to detect these groups’ offensive playbooks before moving on to improve detections for other gangs.

CISA and the FBI also clarified that even if they published this joint advisory today, the two agencies have no indication that a major ransomware attack is being planned for the upcoming US Labor Day extended weekend.

But, knowing ransomware gangs, attacks will almost definitely take place as the opportunity is too great to pass on.

Catalin Cimpanu is a cybersecurity reporter for The Record. He previously worked at ZDNet and Bleeping Computer, where he became a well-known name in the industry for his constant scoops on new vulnerabilities, cyberattacks, and law enforcement actions against hackers.