Why Ransomware Hackers Love a Holiday Weekend

Enlarge / Gah, don’t you miss stress-free travel?

Klaus Vedfelt / Getty Images

On Friday heading into Memorial Day weekend this year, it was meat processing giant JBS. On the Friday before July 4, it was IT management software company Kaseya and, by extension, more than a thousand businesses of variable size. It remains to be seen whether Labor Day will see a high-profile ransomware crash Also, but one thing is clear: hackers love vacations.

Ransomware hackers really love regular weekends too. But a long one? When everyone is partying with family and friends and carefully avoiding anything remotely office-related? That’s the good thing. And although the trend is not new, a joint warning issued this week by the FBI and the Cybersecurity and Infrastructure Security Agency underlines the seriousness of the threat.

The appeal to attackers is pretty straightforward. Ransomware can take time to spread across a network as hackers work to escalate privileges and gain maximum control over most systems. The longer they take to realize it, the more damage they can do. “Generally speaking, threat actors deploy their ransomware when people are less likely to be around to start logging out,” says Brett Callow, a threat analyst at antivirus company Emsisoft. “The lowest probability that the attack will be detected and interrupted.”

Even if caught relatively early, many of the people in charge of dealing with it are potentially poolside, or at least more difficult to locate than they would be on a normal Tuesday afternoon.


“Intuitively, it makes sense for defenders to be less vigilant during the holidays, in large part due to downsizing,” says Katie Nickels, chief intelligence officer at security firm Red Canary. “If a major incident occurs on a holiday, it can be more difficult for advocates to bring in the necessary personnel to respond quickly.”

It is those major incidents that probably caught the attention of the FBI and CISA; In addition to the JBS and Kaseya incidents, the devastating Colonial Pipeline attack took place over Mother’s Day weekend. (It’s not a three-day weekend, but it’s still scheduled for maximum discomfort.) The agencies said they have no “specific threat reports” that a similar attack will occur over Labor Day weekend, but it shouldn’t happen as such. kind of a surprise if one does.

It’s important to remember too that ransomware is a constant threat, and for every gasoline shortage to make headlines, there are dozens of small businesses at any one time struggling to send bitcoin to cybercriminals. Victims reported 2,474 ransomware incidents to the FBI’s Internet Crime Complaint Center in 2020, a 20 percent increase from the previous year. Hackers’ lawsuits tripled in that same time period, according to IC3 data. Those attacks weren’t all concentrated on Hallmark three-day weekends and holidays.

In fact, as CISA and the FBI acknowledge, weekends in general tend to be popular with criminals. Callow notes that submissions to ID Ransomware, a service created by security researcher Michael Gillespie that allows you to upload ransom notes or encrypted files to find out exactly what hit you, tend to increase on Mondays, when victims have returned to their offices. to find your data. encryption.

Strategic timing by hackers takes other forms as well. Attacks on schools drop precipitously in the late spring and summer, Callow says, because then there is much less urgency associated with recovery. When they stole $ 81 million from the Bank of Bangladesh, Lazarus Group of North Korea timed the robbery to take advantage of not only the differences between the weekends of Bangladesh and the United States (in the former, it is Friday and Saturday), but also the Lunar New Year, a holiday in much of Asia.


It is true that a handful of large ransomware gangs:Dark side, Ragnarok and REvil among themselves, have been disbanded or disconnected lately. Deputy National Security Adviser Anne Neuberger told a news conference Thursday that US intelligence agencies had seen a “reduction” in ransomware recently. But security researchers caution against any sigh of relief. “Ransomware groups like Pysa, Lockbit 2.0, Conti, and many others continue to cause significant damage to organizations,” says Nickels. “Even when one or more dominant ransomware families disappear, there is usually another one behind to fill the void.” In the same briefing, Neuberger also warned organizations to “be on guard” before the long weekend.

Unfortunately, preparing for a potential attack is not a matter of closing multiple hatches on a Friday afternoon. By then, it is too late; attackers tend to lurk in compromised systems and hit at the most opportune moment. The best time for a strict defense was often weeks before the ransomware actually arrived. “Most burglaries happen in the middle of the day, but it’s not just the house that gets locked then,” says Callow.

That said, there are steps companies and individuals can take to improve. protect yourself from hacks, both before a long weekend and beyond. The FBI and CISA recommendations echo best practices for most cybersecurity situations: don’t click on suspicious links. Take a backup of your data offline. Use strong passwords. Make sure your software is up to date. Use two-factor authentication. If you use Remote Desktop Protocol, a Microsoft product that historically tried a popular entry point for attackers: proceed with caution. And maybe you have a few extra people on call this weekend, just in case.

This story first appeared in wired.com.



Please enter your comment!
Please enter your name here