CISA and FBI Warns That Ransomware Actors are Deliberately Launching Attacks on Holidays


Ransomware perpetrators are purposefully launching assaults around the holidays and weekends, according to the Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI).

Previous US holidays, such as the Fourth of July weekend in 2021, were marked by a spike in cyber-incidents using ransomware, according to the two agencies in a joint alert.

They also state that there is currently no indication that a cyberattack would occur over the Labor Day holiday, but they advise businesses to examine their cybersecurity posture and implement recommended best practises to guarantee they are protected.

However, based on recent actor tactics, techniques, and procedures (TTPs) and cyberattacks over holidays and weekends over the past few months, the FBI and CISA are sharing […] information to provide awareness to be especially diligent in your network defence practises in the run-up to holidays and weekends,” according to the advisory.

Cybercriminals may prefer to launch a ransomware assault around a holiday or weekend, according to CISA and the FBI, since it offers them a head start on network exploitation and ransomware propagation, given that network defenders and IT support at the victim are at a reduced capacity.

The DarkSide ransomware assault on Colonial Pipeline, as well as the Sodinokibi/REvil ransomware attacks on meat-packing company JBS USA and IT management software provider Kaseya, are examples of past attacks that used this method.

The FBI’s Internet Crime Complaint Center (IC3) received 791,790 complaints for all sorts of internet crimes in 2020, totaling $4.1 billion in alleged losses. In 2020, there were 2,474 ransomware instances reported.

The IC3 received 2,084 ransomware complaints between January and July 31, 2021, with reported losses totaling $16.8 million. Conti, PYSA, LockBit, RansomEXX/Defray777, Zeppelin, and Crysis/Dharma/Phobos were the most commonly detected ransomware versions in the last month, according to the FBI.

“With the anticipation of higher ransoms and a higher possibility of payment, cyber criminals have increasingly targeted large, valuable corporations and providers of key services. To further encourage ransom payment, cyber criminals have increasingly combined initial data encryption with a secondary form of extortion, in which they threaten to publicly name affected victims and release sensitive or proprietary data exfiltrated before encryption,” according to the CISA/FBI alert.

The agencies also point out that phishing and brute force assaults on insecure remote desktop protocol (RDP) remain the most popular ransomware infection techniques, and advise businesses to “engage in proactive threat hunting on their networks” to ensure they can block attacks before they happen.

CISA and the FBI also advise businesses to assess and implement ransomware protection best practises, and to avoid paying a ransom.

Jennifer Thomas
Jennifer Thomas is the Co-founder and Chief Business Development Officer at Cybers Guards. Prior to that, She was responsible for leading its Cyber Security Practice and Cyber Security Operations Center, which provided managed security services.