Image: Artyom Medvediev, Getty Images/iStockphoto

Cybercriminals have a knack for knowing not only how and where but when to kick off a cyberattack. The goal is to catch an organization’s IT and security staff off-guard when they’re unavailable or distracted. That’s why weekends and holidays are an opportune occasion for a ransomware attack when staffers are trying to enjoy personal time with family and friends. A report released Wednesday by Cybereason looks at the threat of holiday-based cyberattacks and offers advice on how to handle them.

SEE: Ransomware attackers are now using triple extortion tactics (TechRepublic)

For its report Ransomware Attackers Don’t Take Holidays, Cybereason commissioned Censuswide to survey 1,206 cybersecurity professionals employed by organizations with 700 or more employees in the U.S., U.K., France, Germany and other countries. Polled in September of 2021, the respondents all worked for organizations that had been hit by a ransomware attack during a holiday or weekend over the past 12 months.

Among those surveyed, 36% said they believe the ransomware attack on their organization was successful because they had no contingency plan in place and only a small number of staffers were available to respond. Despite the attack, 24% of the respondents said they still lack a plan to deal with attacks during weekends and holidays.

Without a contingency plan, organizations face several obstacles responding to and recovering from a ransomware attack. Among the respondents, 60% said it took them longer to analyze the scope of the damage, 50% said they needed more time to respond to the attack, and 33% reported that they required a longer period of time to recover from the attack.

SEE: Google Chrome: Security and UI tips you need to know (TechRepublic Premium)

Of course, no one likes working weekends or holidays, especially when faced with an emergency or crisis. Some 86% of those surveyed said they had to miss a holiday or weekend activity due to a ransomware attack, a circumstance that can lead to burnout or job dissatisfaction. Further, 70% of the respondents said they’d been intoxicated while dealing with an attack during a weekend or holiday, another complication that can affect the response.

On the plus side, many of the professionals who’ve been hit by weekend or holiday ransomware attacks are getting wiser. Some 68% said they plan to add new security technologies, 51% said they are setting up a contingency plan and 41% said they’re adding additional staff during weekends and holiday periods.

Being ready for a potential attack this holiday season may be even more challenging than in past years. As one respondent said: “This November/December is going to be particularly rough, as it’s going to be the first time some people have been able to see their families since the pandemic began. All of that means that people will be further from the office and less likely to check alerts.”

How to prepare for potential attacks during the holidays

To help your organization deal with a possible ransomware attack during the holidays, Cybereason offers the following tips:

  • Implement an Endpoint Detection and Response solution. Only 36% of respondents said they had EDR technology in place when they were attacked. Such tools can compensate for the limitations of traditional security protection by finding and preventing more types of threats and helping with analysis following an attack.
  • Practice strong cybersecurity hygiene. This means establishing a security awareness and training program for employees, making sure your operating systems and software are regularly patched and using the most effective security products to protect your network.
  • Make sure key staffers can be reached. In the event of a holiday or weekend attack, you need to ensure that your key IT or security personnel are available. During such periods, employees may not respond to email or even answer phone calls. That’s why it’s crucial to set up on-call duty assignments for off-hours so that the right people are accessible.
  • Run periodic table-top exercises. Perform regular drills to include not just your security team but people in Legal, Human Resources, IT support and even the executive suite so all employees know their roles in responding to an attack.
  • Ensure that you can isolate targeted and critical assets. Once a ransomware attack starts, you want to try to stop it before it spreads. As such, your security team should know how to disconnect a host, lock down a compromised system or account, and block a malicious domain. Be sure to test these processes with both scheduled and unscheduled drills at least once every quarter.
  • Review your procedures to lock down critical accounts. To carry out a ransomware attack, the criminals typically escalate privileges until they compromise domain-level admin accounts. Such accounts rarely need to be active during weekends and holidays. Instead, create secure and emergency-only accounts on your domain that can take over when your usual admin accounts are either disabled or inaccessible during an attack.
  • Consider a managed security services provider. If your own organization lacks the personnel necessary to jump in during a holiday or weekend attack, look into an external provider that can act quickly in the event of an emergency.

“Cybercriminals understand that most organizations operate with skeleton crews of mostly junior staff or even purely on call during these periods that can give them several hours to inflict maximal damage even if detected by an antivirus or monitoring system,” said Chris Clements, VP of solutions architecture for Cerberus Sentinel.

“The crucial thing to realize is that no one tool is a silver bullet for preventing or responding to a cyberattack,” Clements added. “Rather, it requires a cultural approach to security for an organization to defend against modern threat actors. It requires a holistic approach including skills and awareness training, a review of all areas of the organization that could lead to security vulnerability and layered defenses that assumes one or more primary security controls has failed or been bypassed by the attacker in forming a protective strategy.”