This article was originally published on Spiceworks.
The holiday season is upon us. As we approach the end of 2023, it should be a time for festive cheer for all. Unfortunately for cybersecurity teams across the globe, their holidays are more often filled with stress and long hours responding to cybersecurity incidents. Particularly in a subset of industries, these teams find their organizations squarely in the crosshairs of cybercriminals during the holiday period, looking to profit. These industries’ increased time sensitivity, criticality, and importance during the holiday season make them particularly lucrative targets for ransomware and cyber extortion gangs. In this article, we explore the sectors most at risk of ransomware attacks, why they are being targeted, how they are being attacked, what a successful attack means, and provide practical insights into steps they can take to prepare for inevitable attacks on their data and operations.
The Industries in the Crosshairs
While you are stressing about missed flights, last-minute shopping, missing packages, your holiday budget, or suffering from the latest seasonal virus going around, cybercriminals are focused on the opportunities that your angst presents to put pressure on their targets.
Organizations in the retail and ecommerce industries typically see a substantial uptick in sales and transactions during this period, especially online. Similarly, hospitality and travel is synonymous with the holiday, as passengers travel across the country to reunite with friends and family. According to the Bureau of Transportation Statistics, over 80 million passengers had a flight scheduled during December 2022 , although not surprisingly, only 69.02% arrived on time. The volume of personal information and banking data being collected to complete these transactions makes all these industries an enticing target for attackers – looking to gain access to data that can be quickly monetized.
Sadly, cybercriminals are also continuing to target healthcare actively. This is expected to continue through this holiday period – doubling down on the importance of healthcare to broader society during the winter months – peak flu and cold season. Interruption in healthcare services could have severe consequences for patient safety, and cybercriminals know it.
Whether it’s retail, healthcare, hospitality, banking, or e-commerce, organizations in these industries could face significant financial losses if their operations are disrupted during the holiday season, in addition to the impact on customer satisfaction and safety in the case of healthcare. Paying a ransom may seem like a calculated decision to minimize the financial losses operational, and reputational risks associated with ransomware during this period.
Attacks using the Same Old Jingles
Compromised user accounts and stolen credentials are currently the most probable and straightforward attack vectors across all industries and will undoubtedly be used during the holiday season. According to the 2023 Microsoft Digital Defense Report, over 40% of ransomware attacks were human-operated (i.e., not malware). In the 2022 report, Microsoft indicated that 75% of these human-operated (i.e., not malware) ransomware attacks involved using compromised user accounts. This is backed up by Verizon’s 2023 Data Breach Investigations Report, which indicates that stolen credentials were used in 44.7% of attacks they investigated.
These credentials could initially be stolen in various ways, but phishing remains the most likely threat vector. A report from Zscaler Threatlabz earlier in the year indicates that phishing attacks rose 47.2% in 2022 compared to the previous year, despite the advent of phishing-resistant MFA. While some may dream of more fishing gear, everyone is likelier to receive a phish during the holidays. Cybercriminals often impersonate online orders and track emails, charity solicitations, and messages related to holiday events to coerce individuals to provide them with initial access to these types of attacks.
Regardless of how cybercriminals obtain access and weaponize that access, cybercriminals’ playbooks are becoming more standardized afterward. Attacks will attempt to disrupt access to data through remote encryption (in 60% of cases, according to Microsoft) and also increasingly exfiltrate data to set up the opportunity for double extortion attacks, in which they ask for additional payment to prevent further data disclosure.
To Pay or Not to Pay – You Need to Disclose
Organizations that are unfortunate enough to suffer a ransomware attack – will be confronted or threatened with a decision on whether or not to pay the ransom. Plenty has been written about the dilemma of whether to pay a ransom. All law enforcement agencies recommend against paying the ransom, and rightfully so.
The legality of paying ransoms differs across countries and even states, depending on the applicable legislation. An interesting influence on this decision is the focus of legislation on ensuring that organizations disclose ransomware attacks appropriately. In the US, the two most important pieces of legislation that you should be aware of:
- The 2022 Strengthening American Cybersecurity Act (SAC) states all critical national infrastructure organizations must disclose ransomware attacks to the Cybersecurity and Infrastructure Security Agency (CISA) in less than 72 hours or face penalties. An organization must disclose it within 24 hours if it decides to pay a ransom.
- The U.S. Treasury Department’s Office of Foreign Asset Control (“OFAC”) guidance on ransomware: The OFAC guidance highlights that ransomware payments may be made to parties who are on OFAC’s blacklist and place them at risk of enforcement action from the OFAC. The OFAC highlights that reporting to law enforcement will mitigate any enforcement action regarding a cyber ransom payment.
The SEC recently released its final Cybersecurity Risk Management, Strategy, Governance, and Incident Response rule. It requires public companies subject to the Securities Exchange Act of 1934 reporting requirements to disclose material cybersecurity incidents within four business days.
The clear focus of this legislation is to ensure organizations proactively engage law enforcement, CISA, and other relevant agencies as early as possible and ideally before determining whether to pay the ransoms to avoid further penalties and enforcement after the payment. Regardless of their decision to pay, organizations are increasingly legally required to disclose ransom payments to avoid stiff penalties.
Steps to Prep
Regardless of your industry and the time of the year, all organizations should adopt a proactive cybersecurity stance against ransomware – starting with their data. Symmetry Systems recommends five clear steps you can do now to better prepare for this holiday season.
- Create/Update a Data Inventory: Know your data assets and their locations. Regularly update the inventory as new data sources are added.
- Assess Your Data Security Posture: Conduct a data security assessment to identify exposed data. Prioritize and address high-risk exposures promptly.
- Identify and Remediate Any Publicly or Externally Exposed Data Stores: Regularly scan for publicly exposed data stores and secure them. Implement proper access controls to restrict unauthorized external access.
- Remediate Any Identities Missing Multi-Factor Authentication (MFA): Enforce MFA across all user accounts to add an extra layer of protection. Regularly audit and update MFA configurations.
- Discover Any Long-Standing Access Tokens: Periodically review and revoke access tokens. Implement token rotation policies to limit the impact of compromised tokens.
As organizations gear up for the festive season, they must also gear up for the potential surge in ransomware threats. By understanding the risks, fortifying defenses, and staying compliant with relevant legislation, industries can ensure a secure and joyous holiday season for themselves and their customers. Stay vigilant, stay secure, and have a cyber-resilient holiday season!