On Monday, September 6, 2021, the United States will celebrate Labor Day, the federal holiday to honor and recognize the workers’ movement and the laborers' contribution to the country's greatness. As with all holidays, everything will be working on emergency personnel, which means having understaffed IT teams on agencies and organizations. Ransomware actors see this as an excellent opportunity to launch attacks, and as CISA’s (Cybersecurity and Infrastructure Security Agency) latest alert underlines the fact and warns about the risks.
While the CISA and the FBI clarify that they don’t have any specific intelligence on an upcoming cyberattack during the Labor Day holiday, it is considered a very high possibility based on the standard actor tactics and procedures followed during other holidays and weekends the past couple of months. This is further worsened by the fact that Labor Day is on a Monday, and also during a period when a respectable number of people chose to get their holiday.
As such, everyone is urged to update their software tools and OS, and scan their network for vulnerabilities, use MFA everywhere, implement network segmentation, make offline backups of important data, and develop an incident response plan, even if we’re only days away from the holiday. If something bad begins to unfold, the infected systems should be isolated, and all computers in the network should be turned off immediately.
Bill O’Neill, Vice President of Public Sector at ThycoticCentrify, told us:
Obviously, the solution can’t be to force all IT team members to denounce Labor Day and have them work, but treating the chance of a ransomware attack as certainty is changing the stance of the defenders. This is what CISA’s alert is going for, and it contains links to various resources and guides on how to properly shield systems against these actors.
Finally, it is important to note that many ransomware actors have a presence in the systems long before they encrypt the files locally, so there are many groups out there that already have access to corporate networks and just wait for September 6 to initiate the encryption process. To figure out if you have an intrusion, check the logs for unusual network communications or increased CPU and disk activity.