Sep 1, 2023 - Technology

Staying on alert for after-hours cyberattacks

Illustration of a hand in a suit pulling a shade down on a computer screen

Illustration: Sarah Grillo/Axios

Cybersecurity professionals heading out for Labor Day weekend can't rest too easy: Ransomware hackers love to strike while they're away.

Why it matters: Only the most cyber-aware companies typically have tools in place to monitor their networks for suspicious activity 24 hours a day, seven days a week.

  • Everyone else leaves their networks unsupervised over the weekends — giving malicious actors unfettered access for days to roam around and extract sensitive data without being detected.

The big picture: Ransomware gangs will often wait until the weekends or after normal business hours to deploy their file-encrypting malware that locks everyone else out of a company's systems.

  • But they're usually lying in wait inside those corporate networks for days or weeks before making themselves known — giving defenders a shot at catching them before leaving the office.

By the numbers: 43% of ransomware attacks in the first half of 2023 saw the ransomware deployed on a Friday or Saturday, according to a Sophos report released last week.

  • 81% of all ransomware during that period was deployed outside of traditional business hours, the report found.

Flashback: Some of the highest-profile cyberattacks in recent years started over the weekend — including holiday weekends.

Between the lines: The dwell time between when a hacker breaks into a network and when they deploy ransomware has shortened in the last year.

  • On average, ransomware hackers waited just five days in the first half of 2023 before deploying the file-encrypting malware, according to Sophos' data. That's down from last year's nine-day average.
  • This leaves defenders with less time to investigate signs of suspicious activity before an attack starts, Chester Wisniewski, field CTO at Sophos, told Axios.

The intrigue: Making moves outside of U.S. business hours not only helps ransomware gangs go undetected, but has an added benefit for gangs based in Russia — a hotbed for ransomware activity.

  • "That happens to be working Moscow hours, it turns out," Wisniewski said.

Yes, but: Law enforcement officials have gotten better at quickly identifying and dismantling the internet infrastructure that ransomware gangs rely on.

  • This week, the FBI unveiled an operation that dismantled one of the world's largest botnets, Qakbot — which several high-profile ransomware gangs relied on in their attacks.
  • Botnets like Qakbot are one of the main ways that ransomware gangs gain those initial footholds in a corporate network.

Be smart: Companies need to thoroughly investigate every security alert they received this week and might get over the holiday weekend, Wisniewski said.

  • "One of the biggest mistakes I see organizations making is thinking that an alert from their security tools is the end of an incident, rather than the beginning," Wisniewski said.
  • Unlike the alerts organizations got from antivirus firewalls a decade ago, today's security alerts are the equivalent of "the criminal tripping over the tripwire coming in the door," he added.

Sign up for Axios' cybersecurity newsletter Codebook here

Go deeper