Staying on alert for after-hours cyberattacks
Add Axios as your preferred source to
see more of our stories on Google.
Illustration: Sarah Grillo/Axios
Cybersecurity professionals heading out for Labor Day weekend can't rest too easy: Ransomware hackers love to strike while they're away.
Why it matters: Only the most cyber-aware companies typically have tools in place to monitor their networks for suspicious activity 24 hours a day, seven days a week.
- Everyone else leaves their networks unsupervised over the weekends — giving malicious actors unfettered access for days to roam around and extract sensitive data without being detected.
The big picture: Ransomware gangs will often wait until the weekends or after normal business hours to deploy their file-encrypting malware that locks everyone else out of a company's systems.
- But they're usually lying in wait inside those corporate networks for days or weeks before making themselves known — giving defenders a shot at catching them before leaving the office.
By the numbers: 43% of ransomware attacks in the first half of 2023 saw the ransomware deployed on a Friday or Saturday, according to a Sophos report released last week.
- 81% of all ransomware during that period was deployed outside of traditional business hours, the report found.
Flashback: Some of the highest-profile cyberattacks in recent years started over the weekend — including holiday weekends.
- The Los Angeles Unified School District, the second-largest school district in the U.S., identified a ransomware attack on its networks over last year's Labor Day weekend.
- JBS Foods, the world's largest meatpacker, suffered a ransomware attack that disrupted its North American productions during Memorial Day weekend in 2021.
- And Colonial Pipeline saw the first signs of its May 2021 ransomware attack on a Friday.
Between the lines: The dwell time between when a hacker breaks into a network and when they deploy ransomware has shortened in the last year.
- On average, ransomware hackers waited just five days in the first half of 2023 before deploying the file-encrypting malware, according to Sophos' data. That's down from last year's nine-day average.
- This leaves defenders with less time to investigate signs of suspicious activity before an attack starts, Chester Wisniewski, field CTO at Sophos, told Axios.
The intrigue: Making moves outside of U.S. business hours not only helps ransomware gangs go undetected, but has an added benefit for gangs based in Russia — a hotbed for ransomware activity.
- "That happens to be working Moscow hours, it turns out," Wisniewski said.
Yes, but: Law enforcement officials have gotten better at quickly identifying and dismantling the internet infrastructure that ransomware gangs rely on.
- This week, the FBI unveiled an operation that dismantled one of the world's largest botnets, Qakbot — which several high-profile ransomware gangs relied on in their attacks.
- Botnets like Qakbot are one of the main ways that ransomware gangs gain those initial footholds in a corporate network.
Be smart: Companies need to thoroughly investigate every security alert they received this week and might get over the holiday weekend, Wisniewski said.
- "One of the biggest mistakes I see organizations making is thinking that an alert from their security tools is the end of an incident, rather than the beginning," Wisniewski said.
- Unlike the alerts organizations got from antivirus firewalls a decade ago, today's security alerts are the equivalent of "the criminal tripping over the tripwire coming in the door," he added.
Sign up for Axios' cybersecurity newsletter Codebook here
