Why Ransomware Hackers Love a Holiday Weekend
On the Friday heading into Memorial Day weekend this year, it was meat processing giant JBS. On the Friday before the Fourth of July, it was IT management software company Kaseya and, by extension, over a thousand businesses of varying size. It remains to be seen whether Labor Day will see a high-profile ransomware meltdown as well, but one thing is clear: Hackers love holidays.
Really, ransomware hackers love regular weekends, too. But a long one? When everyone’s off carousing with family and friends and studiously avoiding anything remotely office-related? That’s the good stuff. And while the trend isn’t new, a joint warning issued this week by the FBI and the Cybersecurity and Infrastructure Security Agency underscores how serious the threat has become.
The appeal to attackers is pretty straightforward. Ransomware can take time to propagate throughout a network, as hackers work to escalate privileges for maximum control over the most systems. The longer it takes for anyone to notice, the more damage they can do. “Generally speaking, the threat actors deploy their ransomware when there is less likelihood of people being around to start pulling plugs,” says Brett Callow, threat analyst at antivirus company Emsisoft. “The less chance of the attack being detected and interrupted.”
Even if it is caught relatively soon, many of the people in charge of dealing with it are potentially poolside, or at the very least harder to get ahold of than they would be on a normal Tuesday afternoon. “Intuitively, it makes sense that defenders may be less attentive during holidays, in large part because of decrease in staff,” says Katie Nickels, director of intelligence at security firm Red Canary. “If a major incident occurs during a holiday, it may be more difficult for defenders to bring in necessary personnel to respond quickly.”
It’s those major incidents that likely caught the FBI and CISA’s attention; in addition to the JBS and Kaseya incidents, the devastating Colonial Pipeline attack took place over Mother’s Day weekend. (Not a three-day weekend, but still timed for maximal inconvenience.) The agencies said they don’t have any “specific threat reporting” that a similar attack will take place over Labor Day weekend, but it shouldn’t come as any sort of surprise if one does.
It’s important to remember also that ransomware is a constant threat, and for every headline-grabbing gasoline shortage there are dozens of small businesses at any given time scrambling to send bitcoins to cybercriminals. Victims reported 2,474 ransomware incidents to the FBI’s Internet Crime Complaint Center in 2020, a 20 percent increase over the previous year. Hacker demands tripled in that same timeframe, according to IC3 data. Those attacks weren’t all concentrated around three-day weekends and Hallmark holidays.
In fact, as CISA and the FBI acknowledge, weekends in general tend to be popular with crooks. Callow notes that submissions to ID Ransomware—a service created by security researcher Michael Gillespie that lets you upload ransom notes or encrypted files to figure out what exactly hit you—tend to spike on Mondays, when victims have returned to their offices to find their data encrypted.
Strategic timing on the part of hackers takes other forms, as well. Attacks against schools drop precipitously in the late spring and summer, Callow says, because there’s much less urgency associated with recovery then. When they stole $81 million from Bangladesh Bank, North Korea’s Lazarus Group timed the heist to take advantage not only of differences between Bangladeshi and US weekends—in the former, it’s Friday and Saturday—but also the Lunar New Year, a holiday throughout much of Asia.