Staying on alert for after-hours cyberattacks

Cybersecurity professionals heading out for Labor Day weekend can't rest too easy: Ransomware hackers love to strike while they're away.

Why it matters: Only the most cyber-aware companies typically have tools in place to monitor their networks for suspicious activity 24 hours a day, seven days a week.

• Everyone else leaves their networks unsupervised over the weekends — giving malicious actors unfettered access for days to roam around and extract sensitive data without being detected.

The big picture: Ransomware gangs will often wait until the weekends or after normal business hours to deploy their file-encrypting malware that locks everyone else out of a company's systems.

• But they're usually lying in wait inside those corporate networks for days or weeks before making themselves known — giving defenders a shot at catching them before leaving the office.

By the numbers: 43% of ransomware attacks in the first half of 2023 saw the ransomware deployed on a Friday or Saturday, according to a Sophos report released last week.

• 81% of all ransomware during that period was deployed outside of traditional business hours, the report found.

Flashback: Some of the highest-profile cyberattacks in recent years started over the weekend — including holiday weekends.

• The Los Angeles Unified School District, the second-largest school district in the U.S., identified a ransomware attack on its networks over last year's Labor Day weekend.
• JBS Foods, the world's largest meatpacker, suffered a ransomware attack that disrupted its North American productions during Memorial Day weekend in 2021.
• And Colonial Pipeline saw the first signs of its May 2021 ransomware attack on a Friday.

Between the lines: The dwell time between when a hacker breaks into a network and when they deploy ransomware has shortened in the last year.

• On average, ransomware hackers waited just five days in the first half of 2023 before deploying the file-encrypting malware, according to Sophos' data. That's down from last year's nine-day average.
• This leaves defenders with less time to investigate signs of suspicious activity before an attack starts, Chester Wisniewski, field CTO at Sophos, told Axios.

The intrigue: Making moves outside of U.S. business hours not only helps ransomware gangs go undetected, but has an added benefit for gangs based in Russia — a hotbed for ransomware activity.

• "That happens to be working Moscow hours, it turns out," Wisniewski said.

Yes, but: Law enforcement officials have gotten better at quickly identifying and dismantling the internet infrastructure that ransomware gangs rely on.

• This week, the FBI unveiled an operation that dismantled one of the world's largest botnets, Qakbot — which several high-profile ransomware gangs relied on in their attacks.
• Botnets like Qakbot are one of the main ways that ransomware gangs gain those initial footholds in a corporate network.

Be smart: Companies need to thoroughly investigate every security alert they received this week and might get over the holiday weekend, Wisniewski said.

• "One of the biggest mistakes I see organizations making is thinking that an alert from their security tools is the end of an incident, rather than the beginning," Wisniewski said.
• Unlike the alerts organizations got from antivirus firewalls a decade ago, today's security alerts are the equivalent of "the criminal tripping over the tripwire coming in the door," he added.

Sign up for Axios' cybersecurity newsletter Codebook here