The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) are strongly warning all organizations to be on the alert for “highly impactful” ransomware attacks on U.S. critical infrastructure facilities launched over the Labor Day weekend (September 4-6, 2021) in the United States.
Based on recent history, opportunistic ransomware hijackers like to strike in the middle of the night, over weekends and particularly ahead of holiday weekends when MSSPs, internal security staff and admins may not be on duty. Groundwork for an attack can be set when no one’s looking and, before cybersecurity personnel return to work and discover the attack, hijackers may have already moved in.
The good news so far: Neither the FBI nor CISA have any specific information indicating a cyber attack may occur over the upcoming Labor Day holiday.
There is recent history for the FBI's and CISA's warning:
- July 2, 2021: The Kaseya VSA ransomware attack, carried out by the REvil ransomware group, surfaced just as IT administrators and MSSP staff members were likely heading out for the July 4th extended weekend in the United States.
May 31, 2021: Meat supplier JBS was attacked over the U.S. Memorial Day weekend by the Sodinokibi/REvil ransomware crew that affected U.S. and Australian meat production facilities and resulted in a complete production stoppage.
May 7, 2021: Leading into the Mother’s Day weekend, energy supplier Colonial Pipeline discovered it had been victimized by a devastating attack carried out by the DarkSide ransomware cyber crew. The hijack resulted in a week-long suspension of operations and threatened gasoline and fuel distribution across the U.S. east coast.
Heading into the U.S. Labor Day weekend, both the FBI and CISA are reminding organizations to “continuously and actively” monitor for ransomware threats during holidays and weekends. They are also calling on organizations to identify IT security employees placed on call in the event of a ransomware attack. Should an organization get hit, the FBI continues to recommend victims not to pay a ransom. It should be noted, however, that acting against that advice, JBS paid $11 million to the hackers to restore its systems and Colonial Pipeline shoveled some $5 million to the DarkSide syndicate, roughly half of which was subsequently recovered by U.S. law enforcement.
How to Reduce Ransomware Attack Threat Risks
To prepare for a potential ransomware attack, the FBI and CISA are recommending organizations engage in preemptive threat hunting on their networks. Here’s their list of suggestions to adopt a proactive threat hunting strategy:
- Understand the IT environment’s routine activity and architecture by establishing a baseline. By implementing a behavior-based analytics approach, an organization can better assess user, endpoint, and network activity patterns.
- Review data logs. Understand what standard performance looks like in comparison to suspicious or anomalous activity.
- Employ intrusion prevention systems and automated security alerting systems, such as security information event management software, intrusion detection systems, and endpoint detection and response.
- Deploy honey tokens and alert on their usage to detect lateral movement.
In addition, threat hunters should look for indicators of suspicious activity, including:
- Unusual inbound and outbound network traffic.
- Compromise of administrator privileges or escalation of the permissions on an account,
- Theft of login and password credentials.
- Substantial increase in database read volume.
- Geographical irregularities in access and log in patterns.
- Attempted user activity during anomalous logon times.
- Attempts to access folders on a server that are not linked to the HTML within the pages of the web server.
- Baseline deviations in the type of outbound encrypted traffic since advanced persistent threat actors frequently encrypt exfiltration.
CISA has published a ransomware guide for organizations to learn about cybersecurity best practices along with a checklist of mitigations to follow.
President Biden: Executive Order on Cybersecurity and Cyberattack Response Efforts
Meanwhile, President Biden in May 2021 signed a cybersecurity executive order focused on improving the nation’s cyber stance, threat intelligence sharing and cyber attack response efforts. The order could accelerate cyber incident information sharing between IT service providers, cloud service providers, software companies and various federal government agencies. Since then, lawmakers, the Biden Administration and federal agencies have taken additional steps to fortify the nation’s cyber defenses against ransomware attacks on critical infrastructure.
