The US Federal Bureau of Investigation (FBI) and the US Cybersecurity and Infrastructure Security Agency (CISA) issued a joint advisory cautioning critical infrastructure personnel to remain vigilant against cyber security threats during holidays and adjacent weekends. While specific threats have not yet been identified by the agencies, recent history in 2021 shows that threat actors actively target holidays and weekends, such as Independence Day and Mother’s Day, for launching ransomware.
In addition to maintaining general cybersecurity awareness and maintaining vigilance against social engineering techniques such as phishing scams, fraudulent email from spoofed or compromised trusted parties, unencrypted financial transactions, and unapproved Multi Factor Authorization (MFA) attempts, the advisory recommends organizations:
- Identify IT security employees for weekends and holidays who would be available to surge during these times in the event of an incident or ransomware attack.
- Implement multi-factor authentication for remote access and administrative accounts.
- Mandate strong passwords and ensure they are not reused across multiple accounts.
- If you use remote desktop protocol (RDP) or any other potentially risky service, ensure it is secure and monitored.
- Remind employees not to click on suspicious links, and conduct exercises to raise awareness.
- Review and update incident response and disaster planning, including communication procedures.
Recent shifts in threat group ransomware strategies indicate the average time to ransom (TTR) of affiliate groups that chose not to exfiltrate data is 2.5 days, with the time between initial exploitation and lateral movement a few hours. Therefore, it is entirely feasible that entire ransomware kill chain could be executed upon an organization’s infrastructure within the time frame of a holiday and holiday weekend. Continuous monitoring by a 24/7 staffed Security Operations Center (SOC) or a third party SOC service provider is essential, as well as a defense in depth strategy that assumes network perimeters can be breached and searches proactively for post exploitation malicious activities.
General recommendations for ransomware can be found at: