Business: beware of ransomware, particularly on holidays and weekends


    - by David Goldstein -

    Ransomware has developed into one of the biggest threats to businesses around the world. According to an alert in 2021 from the Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA), it’s when offices are normally closed on weekends and holidays when the two organisations have observed the most attacks.

    The alert came about after the two American crime organisations observed increasingly impactful attacks against U.S. entities on or around holiday weekends over several months. They believe as a result of their observations cybercriminals may view holidays and weekends—especially holiday weekends—as attractive timeframes in which to target potential victims, including small and large businesses.

    In some cases, they believe this tactic provides a head start for malicious actors conducting network exploitation and follow-on propagation of ransomware, as network defenders and IT support of victim organisations are at limited capacity for an extended time.

    These examples occurred during holidays

    Some examples of ransomware attacks highlighted by the FBI and CISA in their alert were:

    • In May 2021, leading into Mother’s Day weekend, malicious cyber actors deployed DarkSide ransomware against the IT network of a U.S.-based critical infrastructure entity in the Energy Sector, resulting in a week-long suspension of operations. After DarkSide actors gained access to the victim’s network, they deployed ransomware to encrypt victim data and—as a secondary form of extortion—exfiltrated the data before threatening to publish it to further pressure victims into paying the ransom demand.
    • In May 2021, over the Memorial Day weekend, a critical infrastructure entity in the Food and Agricultural Sector suffered a Sodinokibi/REvil ransomware attack affecting U.S. and Australian meat production facilities, resulting in a complete production stoppage.
    • In July 2021, during the Fourth of July holiday weekend, Sodinokibi/REvil ransomware actors attacked a U.S.-based critical infrastructure entity in the IT Sector and implementations of their remote monitoring and management tool, affecting hundreds of organizations—including multiple managed service providers and their customers.

    Cybercrime - including Ransomware - leads to considerable costs

    Ransomware has been identified as the largest threat to business today by the European cybersecurity agency ENISA. Attacks are becoming increasingly sophisticated. In the ENISA Threat Landscape (ETL) 2021 report, ENISA says the problems and costs of ransomware include “the amount of ransom, downtime, and the cost of people and actual operational and technical remediation.” A survey across 30 countries found the overall cost of remediating a ransomware attack has vastly increased, from $761,106 in 2020 to $1.85 million in 2021, according to ENISA.

    Internet crime is rapidly growing. The FBI's Internet Crime Complaint Center (IC3), which provides the public with an avenue for reporting information on cyber incidents, received 791,790 complaints for all types of internet crime—a record number—from the American public in 2020, with reported losses exceeding $4.1 billion. This represented a 69% increase in total complaints from 2019. The number of ransomware incidents also continues to rise, with 2,474 incidents reported in 2020, representing a 20% increase in the number of incidents, and a 225% increase in ransom demands.

    In their alert, CISA and the FBI advise how the destructive impact of ransomware continues to evolve beyond encryption of IT assets. Cybercriminals increasingly target large, lucrative organisations and providers of critical services with the expectation of higher value ransoms and increased likelihood of payments. Cybercriminals have also increasingly coupled initial encryption of data with a secondary form of extortion, in which they threaten to publicly name affected victims and release sensitive or proprietary data exfiltrated before encryption, to further encourage payment of ransom.

    Although cyber criminals use a variety of techniques to infect victims with ransomware, CISA and the FBI note the two most prevalent initial access vectors are phishing and brute forcing unsecured remote desktop protocol (RDP) endpoints.

    How to deal with Ransomware

    As part of their alert, organisations are strongly discouraged from paying ransoms to criminal actors. As many organisations have found, payment does not guarantee files will be recovered, nor does it ensure protection from future breaches. Payment may also embolden adversaries to target additional organisations, encourage other criminal actors to engage in the distribution of malware, and/or fund illicit activities. Depending on your country, there may be laws requiring reporting of cybercrime including ransomware perpetrated on businesses. Cybercrime agencies in other countries will often encourage the reporting of cybercrime, including ransomware, perpetrated on businesses.

    Some of the ways to mitigate against cybercrime such as ransomware, the FBI and CISA advise, include:

    • Making regular offline backups of your data
    • Do not click on suspicious links
    • If you use unsecured remote desktop protocol (RDP) endpoints — or other potentially risky services — secure and monitor
    • Regularly update the operating system and software on all devises and regularly scan for vulnerabilities
    • Use strong passwords
    • Secure networks and implement segmentation, filter traffic and scan ports
    • Secure user accounts
    • Have an incident response plan

    Contact us to learn more about how to protect against cybercrime.