The cyber threat landscape never sleeps, but threat actors are always looking to catch their victims napping.
Ransomware gangs are relentless and increasingly sophisticated, but they still look for the path of least resistance, regularly taking advantage of opportunities when organizations drop their guard, such as on weekends, holidays, or other times of distraction, according to new research by Semperis.
The recently released 2024 Ransomware Holiday Risk Report, which surveyed 900 IT and security leaders, found that:
- 86% of study participants who experienced a ransomware attack were targeted on a weekend or holiday.
- Although almost all organizations maintain a security operations center (SOC), 85% of them reduced SOC staffing by as much as 50% on weekends and holidays. Surprisingly, 5% of survey respondents said they had no one in their SOCs during those times.
- 63% experienced a ransomware attack following a material corporate event, such as a merger, acquisition, IPO, or workforce restructuring.
It’s clear that special events and periods of traditional downtime hold just the opportunities that ransomware gangs and other threat actors seek. But how do they operate, and what do they target?
Attackers Play the Waiting Game, Target Identities
Ransomware attackers operate clandestinely, whether posing as legitimate users to get past Zero Trust defenses or using an attack like DCShow to compromise Active Directory (AD) and bypass detection mechanisms.
“Sophisticated criminal organizations exercise patience,” shared Chris Inglis, Semperis Strategic Advisor and former U.S. National Cyber Director, in the report.
Ransomware attackers who gain access will stealthily position themselves in the network and wait for an opportune time to launch their attack, such as when SOCs are understaffed or distracted. “Suddenly, you're being attacked literally from the inside,” Inglis said.
User identities are a prime target for these ransomware operators, who compromise user credentials to gain access and escalate permissions. Yet many organizations overestimate their identity defenses. Although 81% of respondents believed they could protect against identity-related attacks, 83% have suffered a successful ransomware attack within the past 12 months.
Attackers also like to strike when confusion reigns on the network. A merger, for example, can leave organizations vulnerable while companies combine their infrastructures. If one company has a weaker security posture, attackers can exploit it to gain access and infiltrate a more secure environment.
Ideally, each company’s security posture is assessed before connecting the systems; however, this type of due diligence can be passed over while the parties focus on financial or operational concerns. Meanwhile, unusual network activity can become “normal” during an acquisition, making it difficult for systems that use behavioral analytics to detect suspicious behavior.
In the event of a breach when a merger or acquisition is pending, ransomware operators can also count on collecting ransom quickly because companies are anxious to make the problem disappear and get on with the transaction.
3 Steps to Keeping Your Guard Up
Organizations can protect themselves from these opportunistic attacks by taking three initial steps.
1. Recognize security as a business priority.
C-suite executives must see cybersecurity as an imperative for business. Security risk must be as much a part of an organization’s resilience plan as operational risk. Corporate boards need to understand the organization’s level of risk and which systems would cripple the organization if they were compromised. That can help leaders identify critical components that need strengthening, such as Active Directory and other identity systems.
2: Offset security staffing challenges.
A fully staffed SOC on holidays and weekends may be ideal, but it’s not practical because of financial and cultural concerns. However, dedicated identity threat detection and response solutions and agreements with trusted partners can help make up the difference.
An automated system that provides audits and alerts, detects attack patterns, and suspends anomalous changes to Active Directory—or even recovering AD—can help organizations respond to and recover from attacks quickly when staffing levels are low.
Organizations that outsource SOC operations need a provider with these offerings and a documented identity recovery plan. For that matter, organizations with in-house SOCs should have the same capability.
3: Make identity security a core aspect of every merger or acquisition.
Identity infrastructure should be evaluated as part of financial due diligence before any possible merger or acquisition. If a potential partner's identity systems aren't secure, other security holes are likely present, too. No part of its network should encounter yours until you assess another organization’s cyber assets.
“Cyberattacks, including ransomware, often happen in the cracks—during mergers, acquisitions, and layoffs, and in the seams of supplier-vendor relationships,” said Kemba Walden, President of Paladin Global Institute and former Acting U.S. National Cyber Director, in the report. “We need to ensure these cracks are seamless to prevent vulnerabilities.”
