The agency issued a similar warning in August ahead of the Labor Day weekend, warning that ransomware attackers often choose to launch attacks on holidays and weekends, specifically when businesses are likely to be closed. “Recent history tells us that this could be a time when these persistent cyber actors halfway across the world are looking for ways—big and small—to disrupt the critical networks and systems belonging to organizations, businesses, and critical infrastructure,” CISA and the FBI said. SEE: A winning strategy for cybersecurity (ZDNet special report) The agencies said they had not identified any specific threats. However, they noted that some of the worst ransomware attacks happened on holidays and weekends, including Independence Day and the Mother’s Day weekend. To prepare for potential attacks on the Thanksgiving weekend, the agencies have outlined several key steps organizations can take to minimize the risk of an attack. These include: identifying key IT security staff who could handle a surge in work after a ransomware attack; implementing multi-factor authentication for remote access and administrative accounts; enforcing strong passwords and avoiding password reuse; ensuring RDP is secure and monitored; and reminding employees not to click on suspicious links. Organizations also need to review incident response measures and procedures. “To reduce the risk of severe business/functional degradation should your organization fall victim to a ransomware attack—review and, if needed, update your incident response and communication plans. These plans should list actions to take—and contacts to reach out to—should your organization be impacted by a ransomware incident.” CISA and the FBI urge users and organizations to take these actions “immediately” to protect themselves against this potential threat. SEE: Ransomware: Industrial services top the hit list - but cyber criminals are diversifying The agencies detailed several major ransomware attacks that aligned with US public holidays:
In May 2021, leading into Mother’s Day weekend, a ransomware gang deployed DarkSide ransomware against Colonial Pipeline. After DarkSide actors gained access to the victim’s network, they deployed ransomware to encrypt victim data and—as a secondary form of extortion—exfiltrated the data before threatening to publish it to further pressure victims into paying the ransom demand.
In May 2021, over the Memorial Day weekend, meatpacker JBS was struck by a Sodinokibi/REvil ransomware attack that affected U.S. and Australian meat production facilities, resulting in a complete production stoppage.
In July 2021, during the Fourth of July holiday weekend, Sodinokibi/REvil ransomware actors attacked Kaseya’s remote monitoring and management tool.
While most of these attacks have been attributed to suspected Russian-based hackers, Microsoft last week warned that state-sponsored hackers from Iran are increasingly using ransomware to disrupt their targets. The US, UK and Australia called out Iranian attackers for exploiting known flaws in Fortinet’s VPN and Microsoft Exchange to deploy ransomware.