For many, the summer months should be a time of peace: Maybe taking some vacation, maybe strolling across warm, soft sands as sapphire waves lap up against your feet, maybe even spending time with family (that you like).
But for determined cybercriminals, these periods of near-universal rest and relaxation are actually moments of attack.
In particular, ransomware gangs have shown a nasty habit of starting their attacks at the least convenient times: When computers are idle, when employees who might notice a problem are out of the office, and when the IT or security staff who might deal with it are shorthanded.
Cybercriminals like to attack at night and at weekends, and they love holidays and special events. On the July 4 weekend in 2021, the REvil ransomware gang was likely hosting its own celebrations after pulling off an enormous supply-chain attack on Kaseya, one of the biggest IT solutions providers in the US for managed service providers (MSPs). Threat actors used a Kaseya VSA auto-update to push ransomware into more than 1,000 businesses.
But it isn’t just holiday weekends that cybercriminals leverage for attacks. They can also likely predict when IT professionals go on vacation—the summer.
Why out-of-office attacks work
Ransomware works by encrypting huge numbers of files on as many of an organization’s computers as possible. Performing this kind of strong encryption is resource intensive and can take a long time, so even if an organization doesn’t spot the malware used in an attack, its tools might notice that something is amiss.
“You never think you’re gonna be hit by ransomware,” said Ski Kacoroski, a system administrator with the Northshore School District in Washington state, speaking on Malwarebytes’ Lock & Code podcast. On the podcast, Kacoroski spoke about Northshore’s nighttime attack:
“It was an early Saturday morning. I got a text from my manager saying ‘something is up’…after a short while I realized that [a] server had been hit by ransomware. It took us several more hours before we realized exactly how much had been hit.”
Kacaroski added “We had some high CPU utilizations alert the night before when they started their attack, but most of us were already asleep by midnight.”
When REvil first attacked Kaseya in 2021, Malwarebytes Labs relied on the expertise of Adam Kujawa, a cybersecurity evangelist, to understand what steps organizations should take to minimize the chance that a holiday weekend could be ruined by a cyberattack. That advice is still good today—including for any IT or security employee going on vacation—so we’re offering it again for readers.
Do these before leaving for vacation
- Run a deep scan on all endpoints, servers, and interconnected systems to ensure there are no threats lurking on those systems, waiting to attack!
- Once you know those systems are clean, force a password change a week or two out from the holiday or vacation time so any guessed or stolen credentials are rendered useless.
- Employ stricter access requirements for sensitive data, such as multi-factor authentication (MFA), Manager Authorization, and requiring a local network connection. Although this will make it a more difficult for employees (for a short amount of time), this will also make it significantly more difficult for attackers to traverse networks and gain access to unauthorized data. Once the holiday or vacation time ends, you can revert these policies since you’ll have more eyes to watch out for threats.
- Provide guidance to employees on not posting about vacations and/or holiday plans on social media.
- Provide free—or free for a limited time—security software to employees to use on personal systems
- Ensure all remotely accessible connections (e.g., VPNs, RDP connections) are secured with MFA.
Schedule these during vacation
- Ensure all non-essential systems and endpoints are shut down at the end of the day.
- Reduce risk by disabling or shutting down systems and/or processes which might be exploitable, if they aren’t needed.
- Ensure there is always someone watching the network during the holiday or planned vacation, and make sure they are equipped to handle a sudden attack situation. We suggest creating a cyberattack reaction and recovery plan that includes call sheets, procedures on communicating with law enforcement and collecting evidence, and what systems can be isolated or shut down without seriously affecting the operations of the organization.
“The only mistake in life is a lesson not learned”
When we asked Kacaroski why he came forward to tell his ransomware story when many others are reluctant to, he told us: “The only mistake in life is a lesson not learned.”
A lesson we can all learn here is that cybercriminals are not reluctant to ruin somebody’s vacation plans. So don’t wait for an attack to happen to your organization before you decide you need to be ready. Prepare now, and enjoy uninterrupted peace of mind during your vacation.
Ready to learn more about staying safe before heading out on vacation? Read more at our “Stay on Vacation” hub:
Stay on vacation