Why ransomware hackers love a vacation weekend

The Friday before Memorial Day weekend this year, it was meat processing giant JBS. On the Friday before July 4, it was IT management software company Kaseya and, by extension, over a thousand companies of varying sizes. It remains to be seen whether Labor Day will also see a high-profile ransomware meltdown, but one thing is clear: Hackers love the holidays.

Really, ransomware hackers love regular weekends too. But a long one? When everyone is having fun with their family and friends and carefully avoiding all things remote desktop? This is the right thing. And while the trend is not new, a joint warning issued this week by the FBI and the Cybersecurity and Infrastructure Security Agency highlights just how serious the threat has become.

The call to attackers is fairly straightforward. Ransomware can take a long time to spread over a network, as hackers strive to elevate privileges for maximum control over most systems. The longer it takes for someone to notice it, the more damage it can cause. “Typically, threat actors deploy their ransomware when it’s less likely that people will be around to start unplugging,” said Brett Callow, threat analyst at antivirus company Emsisoft. “Less chance that the attack will be detected and interrupted.”

Even if it’s caught relatively early, many of the caregivers are potentially poolside, or at the very least more difficult to reach than they would be on a normal Tuesday afternoon.

“Intuitively, it makes sense for defenders to pay less attention during the holidays, in large part due to downsizing,” said Katie Nickels, chief intelligence officer for security firm Red Canary. “If a major incident occurs on a public holiday, it can be more difficult for defenders to bring in the necessary personnel to respond quickly. “

It was these major incidents that probably caught the attention of the FBI and the CISA; In addition to the JBS and Kaseya incidents, the devastating attack on the colonial pipeline took place over Mother’s Day weekend. (Not a three-day weekend, but still scheduled for maximum inconvenience.) The agencies said they had no “specific threat report” indicating that a similar attack would take place over the weekend. end of Labor Day, but it shouldn’t be. kind of surprise if we do.

It’s also important to remember that ransomware is a constant threat, and for every gasoline shortage that hits the headlines, dozens of small businesses are scrambling to send bitcoin to cybercriminals at all times. Victims reported 2,474 ransomware incidents to the FBI’s Internet Crime Complaints Center in 2020, a 20% increase from the previous year. Hacker requests have tripled over the same period, according to data from IC3. These attacks weren’t all focused around the three-day weekends and Hallmark holidays.

In fact, as the CISA and FBI recognize, weekends in general tend to be popular with scammers. Callow notes that submissions to ID Ransomware, a service created by security researcher Michael Gillespie that lets you download ransom notes or encrypted files to find out what exactly hit you, tend to increase on Mondays, when victims returned to their offices to find their data. crypt.

Strategic timing on the part of hackers also takes other forms. Attacks on schools drop sharply in late spring and summer, Callow says, as there is much less urgency associated with the recovery by then. When they stole $ 81million from the Bangladesh Bank, North Korean group Lazarus timed the heist to not only take advantage of the differences between Bangladeshi and American weekends – in the former it’s Friday and Saturday. – but also the Lunar New Year, a public holiday for much of Asia.

It is true that a handful of large ransomware gangs – DarkSide, Ragnarok, and REvil among them – have either disbanded or been disconnected in recent times. Deputy National Security Advisor Anne Neuberger told a press briefing on Thursday that US intelligence agencies had recently seen a “reduction” in ransomware. But security researchers warn against any sigh of relief. “Ransomware groups like Pysa, Lockbit 2.0, Conti and many more continue to cause significant damage to organizations,” says Nickels. “Even when one or more dominant ransomware families disappear, there is usually another one right behind to fill the void.” In the same briefing, Neuberger also warned organizations to “stay on their toes” before the long weekend.

Unfortunately, preparing for a possible hack isn’t about closing various hatches on a Friday afternoon. By then, it is already too late; attackers tend to hide in compromised systems and strike at the most opportune moment. The best time for strong defense was often weeks before the ransomware actually hit. “Most burglaries happen in the middle of the day, but you don’t just close your house then,” says Callow.

That said, there are steps businesses and individuals can take to better protect themselves against hackers, both before a long weekend and beyond. The FBI and CISA recommendations echo best practices for most cybersecurity situations: Don’t click on suspicious links. Take an offline backup of your data. Use strong passwords. Make sure your software is up to date. Use two-factor authentication. If you are using Remote Desktop Protocol, a Microsoft product that has historically proven to be a popular entry point for attackers, proceed with caution. And maybe keep a few more people on call this weekend, just in case.

This story first appeared on wired.com.