Prepare for the Holiday Ransomware Storm

The holiday season is upon us. As we approach the end of 2024, it should be a time for festive cheer for all. Unfortunately for cybersecurity teams across the globe, their holidays are more often filled with stress and long hours responding to cybersecurity incidents. Particularly in a subset of industries, these teams find their organizations squarely in the crosshairs of cybercriminals during the holiday period, looking to profit. These industries’ increased time sensitivity, criticality, and importance during the holiday season make them particularly lucrative targets for ransomware and cyber extortion gangs. In this article, we explore the sectors most at risk of ransomware attacks, why they are being targeted, how they are being attacked, what a successful attack means, and provide practical insights into steps they can take to prepare for inevitable attacks on their data and operations.

The Industries in the Crosshairs

While you are stressing about missed flights, last-minute shopping, missing packages, your holiday budget, or suffering from the latest seasonal virus going around, cybercriminals are focused on the opportunities that your angst presents to put pressure on their targets. 

Organizations in the retail and e-commerce industries typically see a substantial uptick in sales and transactions during this period. Similarly, hospitality and travel is synonymous with the holiday, as passengers travel across the country to reunite with friends and family. According to the Bureau of Transportation Statistics, over 88 million passengers had a flight scheduled during December 2023Opens a new window . The volume of personal information and banking data being collected to complete these transactions makes all these industries an enticing target for attackers – looking to gain access to data that can be quickly monetized.

Sadly, cybercriminals are also continuing to target healthcare actively. This is expected to continue through this holiday period – doubling down on the importance of healthcare to broader society during the winter months – peak cold and flu season. Interruption in healthcare services could have severe consequences for patient safety, and cybercriminals know it. 

Whether it’s retail, healthcare, hospitality, banking, or e-commerce, these industries could face significant losses if their operations were disrupted. Paying a ransom may seem like a calculated decision to minimize the financial losses, operational, and reputational risks associated with ransomware.

Holiday Attacks Use the Same Old Jingles

Cybercriminals are likely to target compromised user accounts and stolen credentials as their main attack vectors, especially during the holiday season. According to the 2024 Microsoft Digital Defense ReportOpens a new window , over 51% of ransomware attacks were human-operated (i.e., not malware). Microsoft indicated that social engineering still tends to be the most common access technique. This is backed up by Verizon’s 2024 Data Breach Investigations Report, which indicates there were more than 3,500 incidents of social engineering. These incidents led to credential theft (50%), compromised personal information (41%), loss of internal data (14%), and more.

As a result, phishing remains the most likely threat vector. According to Trend Micro, phishing attacks rose 58% in 2023 compared to the previous year, as threat actors are weaponizing legitimate services for phishing. Cybercriminals often use SaaS tools to impersonate online orders, solicit donations for charity, and send holiday messages to coerce individuals into providing them with initial access.

Regardless of how cybercriminals obtain access and weaponize that access, cybercriminals’ playbooks are becoming more standardized afterward. Attacks will attempt to disrupt access to data through remote encryption (in 70% of cases, according to Microsoft) and also increasingly exfiltrate data to set up the opportunity for double extortion attacks, in which they ask for additional payment to prevent further data disclosure.

See More: How to Stop the Advancement of Ransomware Attacks

To Pay or Not to Pay – You Need to Disclose

If your organizations is unfortunate enough to become a victim of a ransomware attack, you’ll need to decide whether or not to pay the ransom. There are a plethora of articles about the dilemma of whether to pay a ransom. All law enforcement agencies recommend against paying the ransom, and rightfully so. The clear focus of this legislation is to ensure organizations proactively engage law enforcement and other relevant government agencies as early as possible and ideally before determining whether to pay the ransoms to avoid further penalties and enforcement after the payment.

The legality of paying ransoms differs across countries and even states, depending on the applicable legislation. An interesting influence on this decision is the focus of legislation on ensuring that organizations disclose ransomware attacks appropriately.

Ransomware-Specific Regulations

In the US, you should be aware of the following pieces of legislation:

• The Strengthening American Cybersecurity Act (SAC) states all critical national infrastructure organizations have 72 hours to disclose ransomware attacks to the Cybersecurity and Infrastructure Security Agency (CISA) or face penalties. An organization must disclose within 24 hours if it decides to pay a ransom.
• The US Treasury Department’s Office of Foreign Asset Control (OFAC) guidance on ransomware. If your company decides to pay the ransom to a party that is on the OFAC blacklist, you may face sanctions. OFAC may freeze the assets used in the transaction. Penalties may include civil fines and criminal charges.
• The SEC released the final Cybersecurity Risk Management, Strategy, Governance, and Incident Response ruleOpens a new window in August 2023. It requires public companies to disclose material cybersecurity incidents within four business days.

In addition, the US Cybersecurity and Infrastructure Security Agency (CISA) suggests reporting the incident to multiple agencies:

• CISA
• Your local FBI field office
• the Internet Crime Complaint Center (IC3)
• Your local US Secret Service field office

This legislation exists to ensure organizations proactively engage law enforcement and other relevant government agencies. Ideally, this should happen before determining whether to pay the ransoms to avoid further penalties and enforcement after the payment.

Steps to Prep for a Cyber-Resilient Holiday

Regardless of the time of the year, all organizations should adopt a proactive cybersecurity stance against ransomware. Symmetry Systems recommends five clear steps you can do now to better secure your data for this holiday season. 

1. Create/Update a Data Inventory: Know your data assets and their locations. Regularly update your inventory when you add new data sources.
2. Assess Your Data Security Posture: Conduct a data security assessment to identify exposed data. Prioritize and address high-risk exposures promptly.
3. Identify and Remediate Any Publicly or Externally Exposed Data Stores: Regularly scan for publicly exposed data stores and secure them. Implement proper access controls to restrict unauthorized external access.
4. Remediate Any Identities Missing Multi-Factor Authentication (MFA): Enforce MFA across all user accounts to add an extra layer of protection. Regularly audit and update MFA configurations.
5. Discover Any Long-Standing Access Tokens: Periodically review and revoke access tokens. Implement token rotation policies to limit the impact of compromised tokens.

As organizations gear up for the holiday season, they must also gear up for the potential surge in ransomware threats. Understanding ransomware risks is essential for today’s businesses. Fortifying your defenses can help protect against potential threats, and staying compliant with relevant legislation is also crucial. Stay vigilant, stay secure, and have a cyber-resilient holiday season!

MORE ON RANSOMWARE

• How to Enhance Ransomware Resilience: A Complete Playbook
• The Rise of Ransomware as a Service and Cyberattack Commoditization
• How to Combat Rising Ransomware Attacks in the Public Sector
• How To Build a Cyber Fortress: Lessons From Ancient Greece