Ransomware Attacks and Vacations – Is Your Data Safe?
Recent history shows that holidays and weekends are when persistent cyber actors are looking for tactics – big and small – to penetrate and disrupt the critical networks, systems, and infrastructure of businesses. At no time should your business loosen its network security and protection, especially during these times when fewer staff are working.
Ransomware Will Not Take a Summer Vacation or Weekend Break
Most organizations may be aware and concerned about attacks occurring during the holidays; however, many are not prepared to respond effectively if it happens. Businesses with the proper security and processes will be better prepared and able to defend against holiday-initiated ransomware attacks.
During the weekends, many businesses are closed, and there are often a limited number of network security team members that can handle emergency issues like a ransomware attack. The lowered defenses and vigilance level allow the attackers to strike and invade your systems and network.
During these more vulnerable times, many network security personnel for businesses are off duty or on holiday. As a result, if there is an attack, it takes more time to respond to it. By the time the security team is back, the damage has already been done. It will require more time to recover, and the repercussions might be irreversible. A business could end up paying a lot in ransom to the attackers.
Again, external organizations may have less support and slower response times. If the data stored in your organization is breached and stolen, the attackers can go after the companies you associate with. These businesses may suffer more losses if cyber actors happen to gain access to their systems or confidential data.
Another issue is that cybercriminals can target any business. Owners of small businesses may be targeted because they think they are not vulnerable to these attacks. During the holidays and weekends, owners of small business entities are often unavailable. They may be unable to respond to attacks until it is too late.
Typical weekend targeted attacks include:
The Colonial Pipeline attack: This attack took place on Mother’s Day. In May 2021, a time leading into the weekend of Mother’s Day celebrations, a ransomware gang executed the DarkSide ransomware attack against Colonial Pipeline. When the cyber actors gained access to Colonial Pipeline’s network, they deployed ransomware that encrypted victim data. Also, as secondary extortion, the gang infiltrated the data and threatened to publish it. They did so to pressure Colonial Pipeline further to pay the ransom.
The Meatpacker JBS attack: Similarly, in July 2021, during the Memorial Day weekend, a ransomware attack was deployed by Sodinokibi/REvil ransomware against meatpacker JBS. The attacks affected meat production facilities in the US and Australia, resulting in a complete halt to production.
Phishing – The Number One Ransomware Delivery Vehicle!
Phishing emails targeting organizations and businesses can lead to data breaches like stolen usernames, passwords, and credit card details. For targeted attacks, the ransomware gangs create phishing emails that look like they are from a trustworthy sender. However, the emails link to or contain malware that can execute when a user clicks it.
Emails sent to people on your auto responder or out of the office can contain phishing content. Your employee's vacation backup is less likely to determine what is legitimate and the steps to take. As a result, an attack may not be averted. Additionally, attackers can use spear phishing, which is more sophisticated since it targets key people in an organization.
The attackers craft a personalized email to lure targeted users into providing sensitive information or delivering malicious content like ransomware. Spear phishing emails can be hard to filter by traditional span or reputation filters.
MFA / Credential Attacks are Commonly Used by Ransomware Gangs
Rather than just requesting usernames and passwords, multi-factor authentication (MFA) asks for one or more extra verification factors. This way, MFA can minimize the chances of a successful ransomware attack.
Many credentials or MFA attacks occur when admins log in from remote desktops. This can happen when people are on holiday or on weekends and want to access an organization’s network or system at home or wherever they may be. There are potential security holes arising from the use of a remote desktop.
This happens if the endpoint has been compromised. If the admin logs in, an attacker may be able to use the admin’s control to access backup systems. As a result, the attackers cause damage, including stealing confidential data.
Attack-Loops™ – A Circle of Repeated File Encryptions
Backup systems and files are a target of ransomware attackers. A ransomware cyber actor creates an attack loop by discreetly placing an executable code into the file system of an organization that is then subsequently backed up. The code does not execute immediately but waits for a particular date when it will activate. Attackers wait until a time in the future when your defense will be at its lowest, like during the holidays or weekends.
Since your organization is backing up files repeatedly, the code is backed up along with them. When the date of activation arrives, the executable code starts encrypting files. As your IT personnel attempts to back up the files to recover from such an attack, the ransomware executable continues to be restored. The endless encryption eventually compels the organization to pay the ransom. Even when you have air-gapped backup data, once the infected backups are restored, they will re-initiate the attack.
What to Do to Prevent Weekend and Holiday Ransomware Attacks
Your systems and network security personnel should know the kind of ransomware threats that are likely to strike and when they are most vulnerable. They need to understand that weekends and holidays are ideal times for the execution of ransomware.
Get security staff to be present over the holidays – Organizations should ensure sufficient network and security personnel are on standby to take care of network security issues during weekends and holidays.
Holiday attack response plan – There should be a holiday or weekend response plan for ransomware so that an organization isn’t unprepared for an attack.
Lockdown RDP access – The organization should lockdown RDP access. Securing remote desktops for administrators is important. It’s highly recommended that you use RDP Gateway to restrict RDP access to servers and desktops. Two-factor authentication, the use of stronger passwords, and updating software are some of the measures an organization can take. Make sure you monitor the RDP to identify anomalies.
Use Deep MFA – Employ advanced task-based multi-factor authentication to protect backup systems.
Protect backup data – Use bi-directional, advanced malware scanning for backup data.
Watch out for network anomalies – You should look for indicators of suspicious activity, such as an unusual increase in network traffic, an increase in database read volume, and activity at odd times. If you expect a decrease in traffic during holidays and see more, that likely indicates a possible attack.
Staff training before vacations – You should install good security hygiene before vacations or holidays. That could be short training sessions or internal communications with all employees about ensuring that their systems are secure before leaving and that anyone backing them up knows what legitimate requests look like. Let them know that they should avoid clicking suspicious links delivered to the organization's emails.
Get an All-round Network and Systems Security and Protection!
At Asigra, we are dedicated to offering all-around security and protection of your backup systems against ransomware attacks. We know that holiday and weekend ransomware attacks are a real threat.
We offer you concrete security measures and tips to help your organization or business stay protected and avert successful ransomware attacks by cyber actors. Please feel free to contact us for more information and to request a demo.