The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) in the USA are urging businesses to be diligent in their network defence practices in the run up to holidays and weekends, based on recent actor tactics, techniques, and procedures (TTPs) and cyberattacks over holidays and weekends during the past few months.
The FBI said in a statement: "We encourage all entities to examine their current cybersecurity posture and implement the recommended best practices and mitigations to manage the risk posed by all cyber threats, including ransomware."
Cyber actors have conducted increasingly impactful attacks against US entities on or around holiday weekends over the last several months. The FBI and CISA say they do not currently have specific information regarding cyber threats coinciding with upcoming holidays and weekends. Cyber criminals, however, may view holidays and weekends, especially holiday weekends, as attractive timeframes in which to target potential victims, including small and large businesses. In some cases, this tactic provides a head start for malicious actors conducting network exploitation and follow-on propagation of ransomware, as network defenders and IT support of victim organisations are at limited capacity for an extended time.
In May 2021, leading into Mother’s Day weekend, malicious cyber actors deployed DarkSide ransomware against the IT network of a US.-based critical infrastructure entity in the Energy Sector, resulting in a week-long suspension of operations. After DarkSide actors gained access to the victim’s network, they deployed ransomware to encrypt victim data and, as a secondary form of extortion, exfiltrated the data before threatening to publish it to further pressure victims into paying the ransom demand.
In May 2021, over the Memorial Day weekend, a critical infrastructure entity in the Food and Agricultural Sector suffered a Sodinokibi/REvil ransomware attack affecting U.S. and Australian meat production facilities, resulting in a complete production stoppage.
In July 2021, during the Fourth of July holiday weekend, Sodinokibi/REvil ransomware actors attacked a U.S.-based critical infrastructure entity in the IT Sector and implementations of their remote monitoring and management tool, affecting hundreds of organisations, including multiple managed service providers and their customers.
The FBI's Internet Crime Complaint Centre (IC3), which provides the public with a source for reporting information on cyber incidents, received 791,790 complaints for all types of internet crime, a record number, from the American public in 2020, with reported losses exceeding $4.1 billion. This represents a 69 per cent increase in total complaints from 2019.
The number of ransomware incidents also continues to rise, with 2,474 incidents reported in 2020, representing a 20 per cent increase in the number of incidents, and a 225 per cent increase in ransom demands. From January to July 31, 2021, the IC3 has received 2,084 ransomware complaints with over $16.8M in losses, a 62 per cent increase in reporting and 20 percent increase in reported losses compared to the same time frame in 2020. The following ransomware variants have been the most frequently reported to FBI in attacks over the last month:
The destructive impact of ransomware continues to evolve beyond encryption of IT assets. Cyber criminals have increasingly targeted large, lucrative organisations and providers of critical services with the expectation of higher value ransoms and increased likelihood of payments. Cyber criminals have also increasingly coupled initial encryption of data with a secondary form of extortion, in which they threaten to publicly name affected victims and release sensitive or proprietary data exfiltrated before encryption, to further encourage payment of ransom. Malicious actors have also added tactics, such as encrypting or deleting system backups, making restoration and recovery more difficult or infeasible for impacted organisations.
Although cyber criminals use a variety of techniques to infect victims with ransomware, the two most prevalent initial access vectors are phishing and brute forcing unsecured remote desktop protocol (RDP) endpoints. Additional common means of initial infection include deployment of precursor or dropper malware; exploitation of software or operating system vulnerabilities; exploitation of managed service providers with access to customer networks; and the use of valid, stolen credentials, such as those purchased on the dark web.
The FBI and CISA say they: "strongly discourage paying a ransom to criminal actors. Payment does not guarantee files will be recovered, nor does it ensure protection from future breaches. Payment may also embolden adversaries to target additional organisations, encourage other criminal actors to engage in the distribution of malware, and/or fund illicit activities," the statement said. "Regardless of whether you or your organisation decide to pay the ransom, the FBI and CISA urge you to report ransomware incidents to CISA, a local FBI field office, or by filing a report with IC3 at IC3.gov. Doing so provides the US Government with critical information needed to help victims, track ransomware attackers, hold attackers accountable under US law, and share information to prevent future attacks," the statement added.