CISA Warns Critical Infrastructure of Holiday Ransomware Risks

November 23, 2021 - The Cybersecurity & Infrastructure Security Agency (CISA) and the FBI released a statement warning US critical infrastructure entities and partners to remain vigilant against cyber threats and ransomware during the upcoming holiday season.

Threat actors are known to target unsuspecting victims during holidays and weekends, when employees are more likely to be away from their desks.

“As Americans prepare to hit the highways and airports this Thanksgiving holiday, CISA and the Federal Bureau of Investigation (FBI) are reminding critical infrastructure partners that malicious cyber actors aren’t making the same holiday plans as you,” the statement warned.

“Recent history tells us that this could be a time when these persistent cyber actors halfway across the world are looking for ways—big and small—to disrupt the critical networks and systems belonging to organizations, businesses, and critical infrastructure.”

CISA and the FBI said that they have no specific threats to report, but there have been upticks in cyberattacks during previous holiday seasons.

For example, threat actors deployed DarkSide ransomware against Colonial Pipeline over Mother’s Day weekend in 2021, causing a fuel supply chain disruption that caught the attention of the White House.

During the Fourth of July weekend, REvil/Sodinokibi ransomware targeted IT management company Kaseya and impacted hundreds of the organization’s customers.

“CISA and the FBI strongly urge all entities–especially critical infrastructure partners–to examine their current cybersecurity posture and implement best practices and mitigations to manage the risk posed by cyber threats,” the statement continued.

The agencies urged organizations to designate certain IT security employees to be on-call for weekends and holidays in the event of a security incident or cyberattack. All organizations should also implement multi-factor authentication for remote access and mandate strong passwords across the business. Additionally, critical infrastructure entities should ensure that remote desktop protocol (RDP) services are secure and monitored and remind employees to not click on any suspicious links.

CISA and the FBI recommended specifically implementing safeguards against common cyberattack techniques, including phishing, fraudulent sites spoofing reputable businesses, and unencrypted financial transactions.

“Finally—to reduce the risk of severe business/functional degradation should your organization fall victim to a ransomware attack—review and, if needed, update your incident response and communication plans. These plans should list actions to take—and contacts to reach out to—should your organization be impacted by a ransomware incident,” the agencies continued.

Specifically, CISA and the FBI urged organizations to use resources such as the CISA-MS-ISAC Joint Ransomware Guide, the Public Power Cyber Incident Response Playbook, and the Federal Government Cybersecurity Incident and Vulnerability Response Playbooks.

Threat actors may use the distraction of the holiday weekend to deploy orchestrated attacks and cause damage to the healthcare sector and other entities.

Also in November, CISA warned of Iranian government-sponsored threat actors who have been consistently targeting the healthcare sector. The advanced persistent threat (APT) group is known to exploit Microsoft Exchange and Fortinet vulnerabilities. The group was tied to a June cyberattack that disrupted operations at a US-based children’s hospital.

CISA recommended that healthcare organizations using Microsoft Exchange or Fortinet watch for compromised systems, review antivirus logs, and stay vigilant against signs of suspicious activity.