As the Labor Day weekend approaches, the Federal Bureau of Investigation (FBI) and Cybersecurity and Infrastructure Security Agency (CISA) are warning U.S. entities to remain alert and protect against the rising incidence of ransomware attacks over holidays and weekends. A joint cybersecurity advisory issued on August 31, 2021 reviews recent ransomware attacks that occurred over holiday weekends, describes some of the tactics, techniques, and procedures commonly used by ransomware attackers, and offers some best practices and mitigation strategies for entities that experience a ransomware or other data security incident. As ransomware and other types of cyberattacks become more frequent and sophisticated, and as U.S. and international data security and breach notification laws and reporting requirements become more stringent, it is important for all organizations to implement security programs and incident response plans, continuously assess their programs and plans, and monitor for threats.
According to the advisory, criminal cyberattacks have escalated dramatically in the last year. The number of ransomware attacks in particular increased by 20% including a 225% increase in ransom demands. And these numbers are continuing to rise. Most frequently, ransomware attackers use phishing or brute force on unsecured remote desktop protocol (RDP) endpoints to gain network access. Other common techniques identified in the advisory include precursor or dropper malware, exploitation of software or operating system vulnerabilities, exploitation of service providers with access to networks, and use of stolen credentials.
When cybercriminals infiltrate networks and databases, they often gain unauthorized access to personal information, including sensitive personal information like Social Security numbers, banking or credit card account information, and health information. Responding to ransomware and other attacks necessarily triggers a company’s data breach response plan.
Responding to any data breach, whether or not it is associated with a ransomware demand, requires good planning so that the organization is positioned to understand and comply with the myriad federal, state, and international notification and reporting requirements. For example, companies that are publicly traded must identify material risks to the business in their periodic reports to the U.S. Securities and Exchange Commission, and the Gramm-Leach-Bliley Act and Health Insurance Portability and Accountability Act impose notification and reporting requirements that may apply depending on the types of information compromised. In addition, many states have adopted a data security law, and all 50 states have enacted a data breach notification law (for an overview of U.S. data breach notification laws, click here).
The joint cybersecurity advisory offers the following guidance to minimize attacks:
- Establish a baseline understanding of the network architecture and routine activity;
- Review data logs to compare standard performance to suspicious or anomalous activity;
- Watch out for unusual inbound and outbound network traffic, compromised administrator privileges or escalation of permissions on an account, theft of login and password credentials, a substantial increase in database read volume, geographical irregularities in access and login patterns, attempted user activity during anomalous logon times, and attempts to access folders on a server that are not linked to the HTML within the pages of the web server, and baseline deviations in the type of outbound encrypted traffic;
- Use intrusion prevention systems and automated security alerting systems;
- Employ honeytokens to track data outside the network; and
- Use cyber hygiene services.
The FBI and CISA also advise that organizations implement mitigation strategies to reduce the likelihood of compromise and loss in the event of an attack, such as the following:
- Continuously and actively monitor for ransomware threats over holidays and weekends, and assign IT security employees who will be “on call” during these times;
- Make an offline data backup;
- Advise individuals to not click on suspicious links;
- Secure and monitor RDP or other potentially risky services;
- Update the organization’s operating system (OS) and software;
- Scan for vulnerabilities;
- Require strong passwords;
- Use multifactor identification;
- Secure network(s): implement segmentation, filter traffic, and scan ports;
- Secure user accounts; and
- Implement an incident response plan.
In the event of a ransomware attack, the FBI and CISA recommend turning off all networked devices and isolating the infected system from all networks and any other potential networking capabilities.
The pre-Labor Day joint cybersecurity advisory is a timely reminder that because cybercriminals increasingly target organizations over holidays and weekends when staffing may be reduced, it is important that organizations never drop their guard and continue to monitor for and defend against attacks. Ensuring that strong preventative and mitigation strategies are in place will help businesses avoid missteps that make their networks vulnerable to attack. As the saying goes, an ounce of prevention is worth a pound of cure.