Skip Navigation
BlackBerry Blog

Holiday Weekend? Prepare to Be Ransomed.

Update: September 1, 2022

Will you return from a holiday break and find yourself in the midst of a ransomware incident response?

Labor Day and other national holidays typically mean reduced IT and security team staffing. As network defenders get some time off, cybercriminals often seize the opportunity to execute an attack.

The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) issued a joint Alert (AA21-243A): Threat actors will not be taking any time off. In fact, recent information suggests they may be putting in overtime to take your data hostage.

This advisory is intended to raise awareness to a growing trend of launching ransomware attacks during holidays and weekends – when staffing may be lightest. Recent examples include:

  • Mother’s Day weekend – Colonial Pipeline data is ransomed by the DarkSide threat actors
  • Memorial Day weekend – JBS Foods suffers a debilitating Sodinokibi/REvil ransomware attack
  • July 4th weekend – Kaseya VSA software was leveraged to launch a supply chain attack affecting over 1,000 companies

For professional incident responders such as the BlackBerry Incident Response team, this is a recurring trend. In fact, cyberattacks have ruined so many holidays and weekends that Friday is often referred to as “IR Friday” as the calls start coming in.

Those that Should Take Heed

Should you worry about the FBI/CISA alert? Anyone who has the ability to pay a ransom is a target, and anyone who has the incentive to pay the ransom is at increased risk. In fact, the greater the incentive, the greater the risk. Strong motivators can range from regaining access to systems or data, to avoiding public release/sale of the exfiltrated data, or worse, preventing a threat to human life (emergency services, hospitals, etc.).

Preventative Measures

The advisory included in the FBI/CISA alert provides many proactive tips for both organizations and individuals, such as:

  • Continuously and actively monitor for ransomware threats over holidays and weekends
  • Participate in proactive threat hunting to get ahead of possible attacks
  • Secure and monitor Remote Desktop Protocol (RDP) or other potentially risky services
  • Apply critical updates and scan for vulnerabilities
  • Use strong passwords and multi-factor authentication (MFA)

This is all great advice; however, if you do not have the skills to threat hunt or the staffing to be on call 24x7x365 — including holidays and weekends — you may want to consider enlisting the help of a Managed Detection and Response (MDR) service. Additionally, having an Incident Response Retainer (IRR) in place before an incident occurs will save precious time, and a great deal of (ransom) money. When the house is on fire, the last thing you want is an argument with your Legal or Finance departments over who owns the firehose or how much it is going to cost to extinguish the blaze – and clean up afterwards.

Victim of an Attack?

In the unfortunate event that it is too late and you believe you have been the victim of an attack, please contact us, regardless of your existing BlackBerry relationship.

The BlackBerry Incident Response team is made up of world-class consultants dedicated to handling response and containment services for a wide range of incidents, including ransomware and Advanced Persistent Threat (APT) cases.

BlackBerry has a global consulting team standing by to assist you in providing around-the-clock support — even on nights, weekends, and holidays.

Wishing you safe and above all, secure uneventful, holidays and weekends.

Tony Lee

About Tony Lee

Vice President of Global Services Technical Operations, BlackBerry.

Tony Lee, Vice President of BlackBerry Global Services Technical Operations, has more than fifteen years of professional research and consulting experience pursuing his passion in all areas of information security.

As an avid educator, Tony has instructed thousands of students at many venues worldwide, including government, universities, corporations, and conferences such as Black Hat. He takes every opportunity to share knowledge as a contributing author to Hacking Exposed 7, and is also a frequent blogger, researcher, and author of white papers on topics ranging from Citrix Security, the China Chopper Web shell, and Cisco's SYNFul Knock router implant.

Over the years, he has contributed many tools to the security community such as UnBup, Forensic Investigator Splunk app, and CyBot, the extensible Threat Intelligence Bot framework designed for anyone from a home user to a SOC analyst.