"Ransomware Attackers Don’t Take Holidays" [ML B-Side]

Transcription edited by Craig Zorn

[Ran] Hi, and welcome to Cyber Reason’s Malicious Life B-Sides, I’m Ran Levi. Imagine this, it’s Christmas and your family is celebrating the holiday. Maybe it’s snowing outside, but the house is warm and cozy. The kids are joyfully opening their presents, while you and your spouse are sitting on the sofa, maybe enjoying some hot spicy wine. And then your phone rings.

[Cellphone Rings]
[Ran] Hello? It’s the CEO. Damn, a phone call from the CEO on Christmas? That can’t be good. And it isn’t. Five minutes later, you kiss the kids goodbye as you leave the house, rushing back to the office to handle a ransomware attack. There goes the holiday.

The scenario I’ve described is much more common than we usually think it is. Last month, in November of 2021, Cyber Reason, our show’s sponsor, released a special report titled Organizations At Risk, Ransomware Attacks Don’t Take Holidays, a report focusing on the threat of ransomware attacks during weekends and holidays. According to that research, 86% of responders said they missed a holiday or a weekend activity because of a ransomware attack.

Here’s a real-world example from just a few months back. Kaseya is an IT solutions company catering mainly to managed service providers, MSPs for short, that is, its customers are themselves companies that provide IT management services to other smaller businesses. On July 2, 2021, just two days before Independence Day, Kaseya’s network was breached probably via a vulnerable web interface. The attackers, the notorious Revel Group, used the breach to push an automated, fake and malicious software update to Kaseya’s customers.

Kaseya’s incident response team shut down the company’s servers and pulled its data centers offline, but they were too late. An estimated 800 to 1,500 small to medium-sized businesses downstream were hit by the ransomware. For example, a supermarket chain in Sweden was forced to close 800 of its stores since the cash registers were disabled. Kaseya’s CEO said in an interview quote, “We have about 150 people that have slept probably a grand total of four hours in the last two days, literally, and that will continue until everything is as perfect as can be”. Not a great way to spend the 4th of July holiday, I guess. So with the holidays just around the corner, we’re dedicating this B-side episode to Cyber Reason’s report.

Nate Nelson, our senior producer, talked with Ken Westin, Cyber Reason’s Director of Security Strategy about why attackers love holidays and weekends, and why ransomware attacks during these times are so effective and dangerous. The report itself is available on Cyber Reason’s blog, and we’ll add a link to it in this episode’s post on our website, malicious.life. Enjoy the interview.

—

[Ken] My name is Ken Westin. I am a Director of Security Strategy here at Cyber Reason.

[Nate] First question, why do hackers like holidays?

[Ken] Well, hackers are always trying to go after the easy targets, right? So they realize that on the holidays, that’s when a lot of the companies they’re trying to target have skeleton crews. It’s also when they’re most likely to actually evade detections. There is an actual issue, too it’s going to take these organizations a lot longer to respond. Particularly around the Christmas holidays, it’s particularly a great time to target folks because a lot of times they’re not paying attention. They’re really distracted with the holidays, you know, gift buying. That just makes folks just an easier target.

[Nate] And what major cyber attacks that we know of occurred over some kind of holiday break?

[Ken] A really good example would be with Kaseya, for example, which happened over the Fourth of July weekend. There’s been a number of these types of cases where the organizations that are targeting the criminal organizations that are targeting these companies, they’ve actually gained their foothold well before the holiday. So they actually get their foothold in, they establish persistence, they do some of the reconnaissance that they’re going to need to do. They’ll start to build some of the tools that they’re going to want to do for their attack, and then they’re going to wait. And they’ll wait for these holidays when they know there’s going to be a skeleton crew. Sometimes they may even have access to what the staffing might look like, they may have access to emails, so they’ll have an idea of who’s going to be working, who’s not going to be working in some cases. But this is where they really understand, especially if we look at like Kaseya and things like that, when we look at supply chain, where they’re actually looking at when code gets compiled, they know when to actually initiate some of these particular attacks.

[Nate] All right, so tell me now about the research that you just completed.

[Ken] So we conducted a research study where we asked organizations that have been hit with ransomware. So in order for you to actually participate in the survey, you would have to have actually been hit with ransomware, particularly around the holidays. So we actually found that 49% said that they really didn’t have any sort of security solution in place to actually block the ransomware. Whereas 67 indicated that they didn’t have sort of next level or next antivirus that actually looks at behaviors. Only 46% said they had traditional signature based detections, like your sort of your commoditized antivirus, and 36% that’s actually said they had EDR, which is really troubling because that means that they’re not going to be able to actually respond. I see this all the time where the SIEM ill get lit up telling them that they have ransomware that’s hitting their endpoints. But what I usually say is if it’s the SIEM that’s telling you that and not the endpoint, it’s usually going to be way too late. That attack has already been detonated, a number of systems have already been encrypted, and if you’re not able to actually respond, you’re not going to be able to actually stop that particular outbreak within the organization.
One thing was really surprising too, was that a lot of times when folks have responded to incidents over the holidays, particularly around Christmas, folks admitted that they have actually had something to drink. That was really surprising. It was over 70% of respondents had said that. So I think that’s important to realize, particularly as we had in this holiday season where staffing is already an issue, we already have staffing shortages. So we’re going to have a lot of folks that they’re going to be off, but they might be on call and there might be an incident. And that can actually have an impact and with regards to their decision making capabilities when they’re going to respond to some of these incidents. So this is something organizations really need to be conscious of.

[Nate] I keep thinking that the obvious thing to do to solve these problems is to have employees on the job over the holidays. But of course you can’t force people to be at work during Christmas nor would we want to. So what can companies and people reasonably do to protect themselves if not that?

[Ken] The best time to prepare for this holiday season would be last year. I think that’s one of the challenges here is that it takes a lot of time to get the tooling up. Many organizations are taking advantage of automation. I think that’s really key, whether it’s through a SOAR platform or sometimes it’s just the IT admin, the security analyst actually writing scripts and things like that to automate a lot of the tasks. But you haven’t been able to prepare over the year. You haven’t been able to start to automate some of these tasks. A lot of times some organizations will be leveraging an MDR, so a managed detection response firm. For example, with our MDR team, we’re actually ramping up our staffing for the holidays to kind of help offset some of the staffing shortage we may see with some of our customers. So leveraging an MDR is not something you’re going to be able to do within the next few weeks. However, identifying vulnerabilities within the environment, that is something that can be done. Ensuring the systems are patched. Sometimes there are some challenges too, because a lot of times organizations are heading into sort of a code freeze where no additional configurations or anything can be done just before the holidays to try to help mitigate some of downtime and things like that.
So what organizations can do though is start to actually maybe tabletop exercise, you know, if there is going to be an issue, who’s going to be on deck for this, sort of establishing sort of a game plan. So kind of tabletop this out to see if we are hit, you know, who’s the kind of the first person that we need to contact? Who is the contact going to be for legal if that needs to happen? Like if there’s a ransomware outbreak or something like that. And also, you know, not just in the security team, but also ensure that the IT teams are aware and that there’s a plan there, and as well as communication in case there is an incident.

[Nate] Okay, but how effective are those tabletop exercises? Because you never really know what kinds of hackers you’re dealing with, what their capabilities are until you have to face them, right?

[Ken] Right. Well, one of the challenges, I think even in the, you know, as a vendor, we tend to focus a lot on the technology and we talk a lot about the advantage of the technology. But what we do forget is that there’s two other legs of the stool and that that’s process and people. And so I think those are two really critical aspects and those are things that can be implemented now, right? So in the people side of it, in the communications, those are where a lot of times when there is an incident, that’s where things kind of get caught up in the axle. Things get slowed down because there’s an incident, they don’t know who to contact, they don’t know who’s responsible for this particular business asset, they can’t get a hold of someone, all these sorts of things that those issues really kind of slow down the response process. So establishing those sort of clear lines of communication, sort of a game plan, if you will, with regards to what’s going to happen if there is an incident.

[Nate] So we understand now that hackers like to target holidays for all the reasons we’ve been discussing. Has it always been like this throughout cyber history or do you think as hackers, you know, learn how to better attack people with ransomware and advance their capabilities, this is just one of those more recent things that we’ve just started to discover?

[Ken] I think that there was always a little bit of this, but I think it’s really become much more strategic on the attacker side. We’re starting to see these attackers become much more well resourced. I think ransomware is sort of the blame there, it’s become a bit of a gold rush where, you know, you even see ReEvil who said that they’ve netted over $100 million in revenue. That’s as much as a startup, right? And they’re actually running these like a startup or a good software company.
And with that, they understand their audience. They know what their schedules are going to look like. A lot of times they may even have a better understanding of your infrastructure than you do. They may have a better understanding of your business and your business processes than even the CEO. And that is something that should scare organizations. And that’s where I think a lot of this is coming from is that it’s not like these organizations are going to initiate their attacks now. They’re not going to be doing it during the holidays. A lot of times they’ve already established the foothold within these organizations. They’ve already done the reconnaissance, they already know what tools they have to circumvent. Many times they’ve already escalated their privileges and they’ve expanded within the organization. They’ve also established persistence so that if, you know, they do get blocked by the like the firewall or the connection gets disconnected, they still are able to operate within the environment. Or even seeing some of the malware be sort of self-aware, if it does get disconnected, it still knows to go and crawl through the organization and try to make additional connections out to establish that persistence. So we’re getting into a situation where it’s much more sophisticated, not just on the technology side, but also on the people and process side when it comes to your adversaries. And so we need to plan accordingly.

[Nate] I imagine that when some people out there hear what you just said, their first thought is going to be, oh crap, maybe this has happened to me and I just don’t know it yet. So what can, say, a business owner do if they are worried of or suspect that someone may have already intruded on their network and may strike during the break? Is there anything that could be done between now and when that event would occur?

[Ken] I think it’s about changing mindset. A lot of times people are focused on the prevention side. They’re focused on the signatures and the firewalls and the boundary defenses, but they don’t take the assumption of what if the evil’s already inside the environment? What if the phone calls coming from inside the house? That’s where I’m a huge advocate for threat hunting. I’ve worked with a number of organizations, huge financial institutions, and building out threat hunting programs. The whole tenet of threat hunting is assuming breach, assume that you’ve already been compromised.

How would you go about finding evil within your environment? That’s very different than your traditional detection rules and relying on sensors and things like that on the endpoint. It’s actually looking across multiple data sources to identify a particular anomaly or something that’s not right within the environment. Some of that can also be done leveraging machine learning. Artificial intelligence was sort of, I think they were a little overzealous in some of the marketing. A lot of the security vendors were like, AI is going to solve all your problems. But I feel like the machine learning aspect, which is actually what’s being utilized in the security space, which is a tool within the artificial intelligence arsenal, is incredibly useful for these types of use cases where you’re looking across huge, massive data sets.

You’re trying to identify what’s normal within the environment. Machine learning allows you to establish those baselines of behavior, but it also can look at correlation. You can actually correlate and look across different sources, and you can actually do peer analysis to where, hey, these groups of assets, they look like they’re all folks that are in HR. They usually access these types of applications, and all of a sudden we have an anomaly where this person tried to access a portal that they didn’t have access to. To me, that would be an anomaly, and that would help me to maybe start develop a hypothesis that maybe that particular account is compromised, and then I may do a pivot to look at what other behavior within that account, what other systems does that particular user account access. Then I might be able to build out that, hey, this particular account is compromised. I may reset the password or do a further investigation.

The biggest thing is that threat hunting, also looking across your different assets and things like that. One thing I’ve seen a lot more, particularly in Cyber Reason, I see it with how we approach our ML. We’re not just looking on individual endpoints, but we’re looking across endpoints. That’s like looking for an earthquake, looking for a tremor to predict around something before it actually happens. If you can catch some of these types of incidents before they become a huge problem for the organization, and you can actually mitigate that threat, a lot of times you can avoid a breach. You maybe have a few files that get encrypted, but you can roll those back, you can actually maybe stop some of these attacks before you become front page news of the Wall Street Journal.

[Nate] I’m just curious, how many people do you think would suffice for, say, a large company to have a skeleton crew that can keep up if such an event occurs? Do you need a few people? Do you need a few dozen people? Or are those more passive systems that operate on their own, the machine-driven, sufficient?

[Ken] That’s a tricky question because it really depends on the organization, it really depends on the industry, the vertical, the size of the organization, what they’re trying to protect. But one thing I have seen is actually a lot of SOCs, like the financial institutions, they’re not actually going to a skeleton crew. In some cases, they’re actually ramping up their folks that are going to be working. So what that means with the staffing shortages and things like that is that oftentimes they’re going to be overworked, which is a whole other side of the coin, right? You have folks that maybe they’re upset, they have to work on Christmas, and they’ve already been working long hours. And if there is an incident, they’re going to have to work even longer hours. So they’re not going to be basically operating at their full capacity.

But smaller businesses, or even some industries like in maybe healthcare, or I think like transportation, which we’ve actually seen some of these ransomware groups kind of ramping up to target some of these, they’re going to have folks that are going to be off. They’re not going to have the crews that are going to be there in the SOC, or they may be working part time, they may be working from home and things like that. But usually I would say that they’re probably operating within probably a 45% capacity across the board.

[Nate] Okay, so let’s assume that the worst occurs and something very bad happens over the holiday break. What can companies do? What do you recommend for mediating the situation as Sam Curry, one of our past interview guests like to say, right of bang, after the attack occurs, to mitigate the amount of damage that could be caused from it?

[Ken] You know, one of the challenges we do see with this is if there is an incident in the survey, 50% of the folks said that, you know, it’s going to take them a lot longer to respond or even stop that attack. So that’s a bit of a challenge. So you know, prevention is going to be critically important. You know, if you have various policies trying to escalate some of that, maybe even make things a little bit more paranoid than normal. But for the most part, I think the most important thing is just be vigilant and observe what’s happening within your environment. You may already have your sensors set up, your tooling, but really have that set up and pay attention.

[Nate] So Ken, do you have any parting thought that you could leave with listeners?

[Ken] One thing is, you know, if you are in a company and you do have your defenders within the organization, you know, I think that’s one thing is that a lot of folks don’t realize how many hours that they’re putting in. A lot of cases, we’ve actually seen that like 86% of the respondents in our survey, actually, they saw that, you know, they actually missed a holiday or a weekend because of a ransomware attack, for example. I think just being able to have a little bit of empathy for the folks that are working in the security space, because particularly over like the Thanksgiving holiday, right, a lot of these folks were working hard. Well, you know, everyone else is having a nice dinner with their families and things like that. You have your cyber defenders who are sort of on the front lines and, you know, they’re not getting that break. So I think having a little bit of empathy for the folks that are working in the security field is good. So if you have someone that’s a security analyst, you know, give them a big hug.

[Nate] Actually one last thing. Is there maybe one action item you could give to folks out there who may not have been fully prepared for this holiday season, like one thing that they could do to be slightly better off than they might otherwise be?

[Ken] Yeah, I mean, it might be a little too late for, you know, any sort of silver bullet of what you’re going to do to prevent any of this stuff. But I think with that, maybe the best time to start planning for next year is now. So actually looking at how you can improve your security posture for next year, identify any sort of security incidents or challenges that you do have this year. Make sure that after the holidays that you do conduct a postmortem. Identify what failed in the technology side. How can we improve our processes? What can we do to maybe help on the people side as well? Are there more things that we can automate? Maybe we need to ramp up our hiring for next year. Are we anticipating additional traffic next year? All these sorts of things should go into a sort of a postmortem. So then you can feed this back into the system so that you’re much more secure next year.