CISA, FBI Release Holiday Ransomware Awareness Guidance

September 03, 2021 - The FBI and the Cybersecurity and Infrastructure Security Agency (CISA) have seen an uptick in ransomware attacks on holidays and weekends this summer and urged organizations to stay vigilant in a new holiday ransomware awareness report.

Trends show that hackers are especially active during holidays when offices are typically closed. Specifically, the FBI observed an uptick in ransomware attacks over the Fourth of July holiday in 2021.

“The FBI and CISA do not currently have any specific threat reporting indicating a cyberattack will occur over the upcoming Labor Day holiday. However, the FBI and CISA are sharing the below information to provide awareness to be especially diligent in your network defense practices in the run up to holidays and weekends, based on recent actor tactics, techniques, and procedures (TTPs) and cyberattacks over holidays and weekends during the past few months,” the report explained.

“The FBI and CISA encourage all entities to examine their current cybersecurity posture and implement the recommended best practices and mitigations to manage the risk posed by all cyber threats, including ransomware.”

During Mother’s Day weekend in 2021, bad actors deployed DarkSide ransomware against Colonial Pipeline, a US critical infrastructure entity. The attack disrupted the fuel supply chain and partly inspired President Biden to release an executive order on improving the nation’s cybersecurity.

Also in May, during Memorial Day weekend, major US meat supplier JBS suffered a ransomware attack at the hands of Sodinokibi/REvil ransomare group that impacted US and Australian meat production facilities and resulted in a production stoppage, the report continued.

Over the Fourth of July weekend, Sodinokibi/REvil targeted Kaseya, an IT management software company. The ransomware attack disrupted implementations of Kaseya’s remote monitoring and management tool and impacted hundreds of organizations and customers.

“The FBI's Internet Crime Complaint Center (IC3), which provides the public with a trustworthy source for reporting information on cyber incidents, received 791,790 complaints for all types of internet crime—a record number—from the American public in 2020, with reported losses exceeding $4.1 billion,” the report continued.

“This represents a 69 percent increase in total complaints from 2019. The number of ransomware incidents also continues to rise, with 2,474 incidents reported in 2020, representing a 20 percent increase in the number of incidents, and a 225 percent increase in ransom demands.”

The report identified select ransomware variants that have been most frequently report to the FBI in recent attacks: Conti, LockBit, PYSA, RansomEXX/Defray777, Zeppelin, and Crysis/Dharma/Phobos. These organizations have been known to target large healthcare entities.

The FBI and CISA strongly encouraged organizations to take necessary precautions to prevent ransomware attacks. It is crucial to engage in threat hunting since hackers often go undetected on a network for a long time before shutting it down.

The report recommended that organizations attempt to understand their IT environment’s routine activity and architecture by establishing a baseline to detect any deviations. Organizations should also regularly review data logs, deploy honeytokens, and employ intrusion prevention systems and automated security alerts.

Suspicious activity includes unusual inbound and outbound network traffic, theft of password credentials, geographical access irregularities, and attempts to access folders on a server that are not linked to the HTML within the pages of the server.

The FBI and CISA urged organizations to take the following immediate actions to protect themselves against ransomware:

• Make an offline backup of your data
• Do not click on suspicious links.
• If you use RDP, secure and monitor it.
• Update your OS and software.
• Use strong passwords.
• Use multi-factor authentication. 

The report also urged organizations to implement an incident response plan in anticipation of a cyberattack to prevent further damage.