Why ransomware hackers love a holiday weekend

By | September 5, 2021
Gah, don't you miss unstressed travel?
Enlarge / Gah, don’t you miss unstressed travel?
Klaus Vedfelt / Getty Images

On the Friday heading into Memorial Day weekend this year, it was meat processing giant JBS. On the Friday before the Fourth of July, it was IT management software company Kaseya and, by extension, over a thousand businesses of varying size. It remains to be seen whether Labor Day will see a high-profile ransomware meltdown as well, but one thing is clear: Hackers love holidays.

Really, ransomware hackers love regular weekends, too. But a long one? When everyone’s off carousing with family and friends and studiously avoiding anything remotely office-related? That’s the good stuff. And while the trend isn’t new, a joint warning issued this week by the FBI and the Cybersecurity and Infrastructure Security Agency underscores how serious the threat has become.

The appeal to attackers is pretty straightforward. Ransomware can take time to propagate throughout a network, as hackers work to escalate privileges for maximum control over the most systems. The longer it takes for anyone to notice, the more damage they can do. “Generally speaking, the threat actors deploy their ransomware when there is less likelihood of people being around to start pulling plugs,” says Brett Callow, threat analyst at antivirus company Emsisoft. “The less chance of the attack being detected and interrupted.”

Even if it is caught relatively soon, many of the people in charge of dealing with it are potentially poolside, or at the very least harder to get ahold of than they would be on a normal Tuesday afternoon. 

“Intuitively, it makes sense that defenders may be less attentive during holidays, in large part because of decrease in staff,” says Katie Nickels, director of intelligence at security firm Red Canary. “If a major incident occurs during a holiday, it may be more difficult for defenders to bring in necessary personnel to respond quickly.”

It’s those major incidents that likely caught the FBI and CISA’s attention; in addition to the JBS and Kaseya incidents, the devastating Colonial Pipeline attack took place over Mother’s Day weekend. (Not a three-day weekend, but still timed for maximal inconvenience.) The agencies said they don’t have any “specific threat reporting” that a similar attack will take place over Labor Day weekend, but it shouldn’t come as any sort of surprise if one does.

It’s important to remember also that ransomware is a constant threat, and for every headline-grabbing gasoline shortage there are dozens of small businesses at any given time scrambling to send bitcoins to cybercriminals. Victims reported 2,474 ransomware incidents to the FBI’s Internet Crime Complaint Center in 2020, a 20 percent increase over the previous year. Hacker demands tripled in that same timeframe, according to IC3 data. Those attacks weren’t all concentrated around three-day weekends and Hallmark holidays.

In fact, as CISA and the FBI acknowledge, weekends in general tend to be popular with crooks. Callow notes that submissions to ID Ransomware—a service created by security researcher Michael Gillespie that lets you upload ransom notes or encrypted files to figure out what exactly hit you—tend to spike on Mondays, when victims have returned to their offices to find their data encrypted.

Strategic timing on the part of hackers takes other forms, as well. Attacks against schools drop precipitously in the late spring and summer, Callow says, because there’s much less urgency associated with recovery then. When they stole $81 million from Bangladesh Bank, North Korea’s Lazarus Group timed the heist to take advantage not only of differences between Bangladeshi and US weekends—in the former, it’s Friday and Saturday—but also the Lunar New Year, a holiday throughout much of Asia.

It’s true that a handful of large ransomware gangs—DarkSide, Ragnarok, and REvil among them—have dissolved or gone offline lately. Deputy national security adviser Anne Neuberger said at a press briefing Thursday that US intelligence agencies had seen a “reduction” in ransomware recently. But security researchers caution against any sigh of relief. “Ransomware groups like Pysa, Lockbit 2.0, Conti, and many others continue to cause significant damage to organizations,” says Nickels. “Even when one or more dominant families of ransomware goes away, there is usually another right behind it to fill in the gap.” In the same briefing, Neuberger also cautioned organizations to “be on guard” ahead of the long weekend.

Unfortunately, preparing for a potential hack isn’t a matter of battening down various hatches on a Friday afternoon. By then, it’s already too late; attackers tend to lurk in compromised systems and strike at the most opportune moment. The best time for a stringent defense was often weeks before the ransomware actually hits. “Most house break-ins occur in the middle of the day, but you don’t only lock your house then,” says Callow.

That said, there are steps companies and individuals can take to better protect themselves from hacks, both ahead of a long weekend and beyond. The FBI and CISA’s recommendations echo best practices for most cybersecurity situations: Don’t click on suspicious links. Make an offline backup of your data. Use strong passwords. Make sure your software is up to date. Use two-factor authentication. If you use Remote Desktop Protocol—a Microsoft product that has historically proven a popular entry point for attackers—proceed with caution. And maybe keep a few extra people on call this weekend, just in case.

This story first appeared on wired.com.