Labor Day weekend is just around the corner and, believe it or not, cybercriminals are likely just as excited as you are!
Ransomware gangs have nurtured a nasty habit of starting their attacks at the least convenient times: When computers are idle, when employees who might notice a problem are out of the office, and when the IT or security staff who might deal with it shorthanded.
They like to attack at night and at weekends, and they love a holiday weekend.
Indeed, while many people are looking forward to catching up with friends and family this Labor Day weekend, cybercrime gangs are likely huddling, too, planning to attack somebody.
On the last big holiday weekend, Independence Day, attackers using REvil ransomware celebrated with an enormous supply-chain attack on Kaseya, one of the biggest IT solutions providers in the US for managed service providers (MSPs). Threat actors used a Kaseya VSA auto-update to push ransomware into more than 1,000 businesses.
Why out-of-office attacks work
Ransomware works by encrypting huge numbers of files on as many of an organization’s computers as possible. Performing this kind of strong encryption is resource intensive and can take a long time, so even if an organization doesn’t spot the malware used in an attack, its tools might notice that something is amiss.
“You never think you’re gonna be hit by ransomware,” says Ski Kacoroski, a system administrator with the Northshore School District in Washington state. Speaking on Malwarebytes’ Lock & Code podcast, he told us about Northshore’s nighttime attack: “It was an early Saturday morning. I got a text from my manager saying ‘something is up’ ... after a short while I realized that [a] server had been hit by ransomware. It took us several more hours before we realized exactly how much had been hit.” He added “We had some high CPU utilizations alert the night before when they started their attack, but most of us were already asleep by midnight.”
Criminals taking advantage while employees are away for holidays, weekends, or simply because their shift is over, is a classic “when the cat’s away” opportunistic crime.
Be prepared for holiday disruption
We reached out to Adam Kujawa, Malwarebytes’ resident cybersecurity evangelist, and asked what organizations can do to minimize the chance their holiday weekend will be disrupted.
Do these before the holiday
- Run a deep scan on all endpoints, servers, and interconnected systems to ensure there are no threats lurking on those systems, waiting to attack!
- Once you know those systems are clean, force a password change a week or two out from the holiday, so any guessed or stolen credentials are rendered useless.
- Employ stricter access requirements for sensitive data, such as multi-factor authentication (MFA), Manager Authorization, and requiring a local network connection. Although this will make it a more difficult for employees (for a short amount of time), this will also make it significantly more difficult for attackers to traverse networks and gain access to unauthorized data. Once the holiday ends, you can revert these policies since you’ll have more eyes to watch out for threats.
- Provide guidance to employees on not posting about vacations and/or holiday plans on social media.
- Provide free—or free for a limited time—security software to employees to use on personal systems
- Ensure all remotely accessible connections(e.g. VPNs, RDP connections) are secured with MFA.
Do these during the holiday
- Ensure all non-essential systems and endpoints are shut down at the end of the day.
- Reduce risk by disabling or shutting down systems and/or processes which might be exploitable, if they aren’t needed.
- Ensure there is always someone watching the network during the holiday, and make sure they are equipped to handle a sudden attack situation. We suggest create a cyberattack reaction and recovery plan that includes call sheets, procedures on communicating with law enforcement and collecting evidence, and what systems can be isolated or shut down without seriously affecting the operations of the organization.
"The only mistake in life is a lesson not learned"
When we asked him why he came forward to tell his ransomware story when many others are reluctant to, Kacoroski told us: “The only mistake in life is a lesson not learned.”
A lesson we can all learn from recent history is that cybercriminals are probably planning to ruin somebody’s Labor Day weekend. So don’t wait for an attack to happen to your organization before you decide you need to be ready.
Prepare now, so you can enjoy an uninterrupted Labor Day weekend!