[TheRecord] CISA and the FBI warn of ransomware gangs’ tendency of launching attacks over holidays and weekends

The Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) have published a joint security advisory today to warn companies about the tendency of ransomware gangs to launch attacks over weekends and national holidays.

While cybersecurity experts have been aware of this trend in ransomware attacks for the past three years, the two US cybersecurity agencies are now using their broader platforms to inform and make sure that IT teams across the world are also aware of this particular tidbit.

“The FBI and CISA highly recommend organizations continuously and actively monitor for ransomware threats over holidays and weekends,” the two said today.

“Additionally, the FBI and CISA recommend identifying IT security employees to be available and ‘on call’ during these times, in the event of a ransomware attack.”

There are fewer IT teams watching networks on weekends & holidays

As previously stated, ransomware gangs have been conducting attacks over weekends ever since they shifted from a shotgun approach to targeted attacks against high-profile organizations almost three years ago.

Criminal groups realized that they had a better chance of going undetected if they breached and moved around a company’s internal network when IT or security teams were off duty or in smaller numbers.

Even if their intrusions were detected, some alerts wouldn’t be read or noticed on time, giving attackers a head start for their intrusions.

Coupled with the fact that most ransomware gangs have updated their code to speed up encryption routines, most attacks usually take a few hours from initial breach until the company’s servers are encrypted, giving IT teams little to no time to react.

This year’s Top 3 ransomware attacks were precisely timed

The vast majority of targeted ransomware attacks covered by this reporter over the past three years have taken place over weekends, following this basic modus operandi.

While there are hundreds of major ransomware attacks to pick from as an example of this trend, CISA and the FBI chose this year’s three biggest ransomware incidents, all of which have taken place over weekends and holidays, perfectly proving their point:

The Darkside ransomware gang’s attack on Colonial Pipeline, which took place on Saturday, May 7.The REvil ransomware gang’s attack on JBS Foods, which took place over the US Memorial Weekend holiday.The REvil ransomware gang’s attack on IT software maker Kaseya, which took place over the July 4 US holiday.

Now, both CISA and the FBI are urging organizations to adapt to this new operational model and change their defenses accordingly, either by leaving more IT staff over weekends or by improving ransomware defenses and detection capabilities.

Various recommendations and sensible advice are available in the joint advisory.

While there are quite a few ransomware gangs active today, the FBI said that based on data from the FBI’s Internet Crime Complaint Center (IC3), the following gangs had been seen targeting US organizations over the past month:


IT and security teams should invest in technical capabilities to detect these groups’ offensive playbooks before moving on to improve detections for other gangs.

CISA and the FBI also clarified that even if they published this joint advisory today, the two agencies have no indication that a major ransomware attack is being planned for the upcoming US Labor Day extended weekend.

But, knowing ransomware gangs, attacks will almost definitely take place as the opportunity is too great to pass on.

The post CISA and the FBI warn of ransomware gangs’ tendency of launching attacks over holidays and weekends appeared first on The Record by Recorded Future.

Source: Read More (The Record by Recorded Future)

You might be interested in …

[TheRecord] Apple fixes AWDL bug that could be used to escape air-gapped networks

Apple has fixed a vulnerability in its Apple Wireless Direct Link (AWDL) technology that could have been abused by threat actors to escape and steal data from air-gapped networks. Silently patched earlier this spring, in April — with the release of iOS 14.5, iPadOS 14.5, watchOS 7.4, and Big Sur 11.3 — the vulnerability was publicly disclosed […]

Read More

[TheRecord] Google fixes Android zero-day exploited in the wild in targeted attacks

Google has released on Monday its monthly Android security bulletin, and the company’s engineers said they patched a zero-day vulnerability that was being exploited in the wild in what they described as “limited, targeted exploitation.” Tracked as CVE-2021-1048, Google said the vulnerability resided in one of the Android kernel components and was abused to elevate an attacker’s […]

Read More

Daily NCSC-FI news followup 2020-01-30

Enterprise Hardware Still Vulnerable to Memory Lane Attacks www.darkreading.com/vulnerabilities—threats/enterprise-hardware-still-vulnerable-to-memory-lane-attacks/d/d-id/1336921 Most laptops, workstations, and servers are still vulnerable to physical attacks via direct memory access, despite mitigations often being available, report says.. Report: eclypsium.com/2020/01/30/direct-memory-access-attacks/ Dozens of companies have data dumped online by ransomware ring seeking leverage arstechnica.com/information-technology/2020/01/dozens-of-companies-have-data-dumped-online-by-ransomware-ring-seeking-leverage/ Maze operators “gift” Pensacola by removing data dump, but […]

Read More

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.