Pierluigi Paganini September 01, 2021

The FBI and CISA issued a joint cybersecurity advisory to warn organizations to remain vigilant against ransomware attacks during weekends or holidays.

The FBI and CISA warn organizations to keep high their defenses against ransomware attacks during weekends or holidays.

The government agencies have observed an increase in ransomware attacks occurring on holidays and weekends, the choice of these period is motivated by the lower level of defense due to the reduced presence of the personnel.

“Today, the Federal Bureau of Investigation (FBI) and CISA released a Joint Cybersecurity Advisory (CSA) to urge organizations to ensure they protect themselves against ransomware attacks during holidays and weekends—when offices are normally closed.” reads the advisory published by CISA. “Although FBI and CISA do not currently have any specific threat reporting indicating a cyberattack will occur over the upcoming Labor Day holiday, malicious cyber actors have launched serious ransomware attacks during other holidays and weekends in 2021.”

Clearly, the FBI and CISA focus on attacks against organizations in the United States, they proposed as case studies the attacks against Colonial Pipeline, JBS, and Kaseya.

The agencies shared a few examples of attacks orchestrated by ransomware gangs ahead of holidays and weekends:

• In May 2021, leading into Mother’s Day weekend, malicious cyber actors deployed DarkSide ransomware against the IT network of a U.S.-based critical infrastructure entity in the Energy Sector, resulting in a week-long suspension of operations. After DarkSide actors gained access to the victim’s network, they deployed ransomware to encrypt victim data and—as a secondary form of extortion—exfiltrated the data before threatening to publish it to further pressure victims into paying the ransom demand.
• In May 2021, over the Memorial Day weekend, a critical infrastructure entity in the Food and Agricultural Sector suffered a Sodinokibi/REvil ransomware attack affecting U.S. and Australian meat production facilities, resulting in a complete production stoppage.
• In July 2021, during the Fourth of July holiday weekend, Sodinokibi/REvil ransomware actors attacked a U.S.-based critical infrastructure entity in the IT Sector and implementations of their remote monitoring and management tool, affecting hundreds of organizations—including multiple managed service providers and their customers.

The ransomware families that have been most active over the last month are Conti, PYSA, LockBit, RansomEXX/Defray777, Zeppelin, Crysis/Dharma/Phobos.

Most of the attacks leverage phishing and brute-forcing unsecured remote desktop protocol (RDP) endpoints and initial attack vectors to compromise the networks of the organizations and deploy the ransomware.

The FBI and CISA recommend organizations conduct threat hunting on their networks aimed at searching for any signs of threat actor activity to prevent attacks before they occur or to minimize the impact of successful attacks.

“Threat actors can be present on a victim network long before they lock down a system, alerting the victim to the ransomware attack. Threat actors often search through a network to find and compromise the most critical or lucrative targets. Many will exfiltrate large amounts of data. Threat hunting encompasses the following elements of understanding the IT environment by developing a baseline through a behavior-based analytics approach, evaluating data logs, and installing automated alerting systems.” reads the joint alert.

Experts suggest focusing on:

• Understand the IT environment’s routine activity and architecture by establishing a baseline;
• Review data logs;
• Employ intrusion prevention systems and automated security alerting systems;
• Deploy honeytokens.

Some Indicators of suspicious activity that organizations should look for include:

• Unusual inbound and outbound network traffic,
• Compromise of administrator privileges or escalation of the permissions on an account,
• Theft of login and password credentials,
• Substantial increase in database read volume,
• Geographical irregularities in access and log in patterns,
• Attempted user activity during anomalous logon times, 
• Attempts to access folders on a server that are not linked to the HTML within the pages of the web server, and
• Baseline deviations in the type of outbound encrypted traffic since advanced persistent threat actors frequently encrypt exfiltration.

CISA pointed out that it provides a range cyber hygiene services for free, such as vulnerability scanning and ransomware readiness assessments to help organizations determine their surface of attack and reduce it..

Both agencies also encourage victims of ransomware attacks to share forensic artifacts as part of their incident report, including: 

• Recovered executable file(s),
• Live memory (RAM) capture,
• Images of infected systems,
• Malware samples, and
• Ransom note.

The Joint report provides the following recommendations to the organizations:

• Making an offline backup of your data.
• Avoiding clicking on suspicious links.
• Securing and monitoring Remote Desktop Protocol endpoints.
• Updating OS and software.
• Using strong passwords.
• Using multi-factor authentication.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, ransomware)

[adrotate banner=”5″]

[adrotate banner=”13″]