Ransomware Actors Attack Most Often on Fridays

Criminals are detonating ransomware at targeted organizations seven days a week, leaving enterprises with essentially no time to shore up their security operations. But a recent study revealed that Friday was the most popular day for ransomware attackers to strike, perhaps attempting to capitalize on employees’ desire to leave for the weekend and the anticipated delay in response time.

According to RiskRecon analysis of 650 publicly reported ransomware events, Friday saw the highest share of attacks, with 19% of all disclosed ransomware detonation events. Wednesday was the second most common day for ransomware detonation with 17% followed by Sunday with a 15% share.

AWS Builder Community Hub

Tuesdays and Thursdays, with an 11% and 12% share, were the two days where the deployment of malware was least likely, according to the report.

“On these most popular days, even in the face of an emergency, not all hands are on deck to detect and respond to a major event,” explained Kelly White, CEO of RiskRecon. “It is very likely that criminals are taking advantage of this reality to increase the detonation blast radius and thus increase the likelihood of getting paid to release the systems.”

For John Bambenek, principal threat hunter at digital IT and security operations company Netenrich, the Friday preference for ransomware deployment is linked to response time.

“In the final stages of ransomware deployment, it becomes more obvious that something bad is happening and steps can be taken to limit the impact,” he said. “Friday presents a possibility of limited staff or people with other things on their mind. [Attackers are] also obnoxious and like the fact that they are ruining people’s weekends.”

Bambenek said that even though ransomware attacks are happening nonstop, there are some steps organizations can take to adopt round-the-clock security postures, including outsourcing security functions to an MSSP who can staff up 24/7/365.

“For those organizations that can’t afford an outsourced SOC, they’ll need to harden their infrastructure to slow ransomware deployment,” he said.

White said successfully protecting an enterprise against ransomware requires consistently applying the basics of cybersecurity risk management well—and that requires good cybersecurity hygiene.

Based on RiskRecon’s continuous cybersecurity assessment of over 150,000 enterprises, organizations that succumb to ransomware, on average, have a 6 times higher rate of critical software vulnerabilities in their internet-facing systems and double the rate of unsafe network services exposed to the internet; both of which are common vectors for compromising a network.

Poor Cybersecurity Hygiene

Nearly 30% of the 150,000 enterprises RiskRecon monitors have very poor cybersecurity hygiene and have significant gaps in basic practices such as managing exposure to critical vulnerabilities and unsafe network services that are commonly exploited.

“The likelihood of ransomware payouts correlates with the amount of pressure and stress principals in the targeted organization feel,” explained Oliver Tavakoli, CTO at Vectra, an AI cybersecurity company. “Dealing with a ransomware demand when you’re stressed after a full week of work and looking forward to some downtime is harder than dealing with it after a restful weekend.”

He said while ransomware can arrive via an organization’s software or service supply chain, this is still a relatively uncommon entry vector.

“Regardless of where ransomware starts, the focus must be on detection capability to find it during its intermediate stage and automation or SOC capabilities must stop and evict it before it has achieved its goal,” Tavakoli said. “Build a robust detection capability and automate certain actions—especially in response to high-quality detection events.”

Match the Control to the Threat

Jake Williams, co-founder and CTO at BreachQuest, a specialist in incident response, said organizations can use outsourced detection and response for 24×7 ops, but it’s important to match the control to the threat.

“If the goal is stopping ransomware threat actors, visibility matters more than hours of coverage,” he said. “By the time ransomware is being detonated, you’re fighting the wrong battle. Most ransomware operators spend a few days to a couple of weeks performing lateral movement and privilege escalation. That’s where organizations need to focus on stopping ransomware.”

He added most organizations considering ransomware response are hyper-focused on protecting backups and are not doing enough work in the earlier stages of the attack (lateral movement and privilege escalation).

“Supply chain management is definitely a concern, but with good monitoring to detect lateral movement in the environment, ransomware supply chain risks are diminished substantially,” he pointed out.

A Clear Divergence

White predicted in 2022 there would be a continued divergence in volume and impact between organizations that manage cybersecurity risks well and those that do not.

“The ransomware events of the last four years show that criminals are indiscriminately targeting organizations, regardless of size or industry,” he said. “The data consistently shows that those who manage cybersecurity risks poorly have a ten times higher rate of succumbing to ransomware than do companies that manage cybersecurity risks well.”

He pointed out the Log4J vulnerability and others that will inevitably be revealed in 2022 will just increase the opportunities for criminals to compromise organizations that don’t manage cybersecurity risks well.

“Managing any risk well requires effective processes and information necessary to understand and act on the risk,” White said. “This is how organizations have managed traditional supply chain stability threats such as financial health, natural disaster and geopolitical risks.”

He explained the same holds true for ensuring supply chain resilience to ransomware—effective processes and information necessary to understand and act on each critical supplier’s resilience to ransomware.

Due to ransomware’s constant press across the world, organizations need to be very good at evaluating and continuously monitoring their suppliers’ cybersecurity risk exposure. White said there are two realities that must be addressed to do this well: Expertise and scale.

“First, it is critical that vendor management and information security are closely partnered. Together, they have the context and expertise necessary to operate a successful program,” he said. “And second, it is essential to arm the team with subscriptions to timely, accurate supplier cybersecurity assessment information necessary understand the cybersecurity performance of each important supplier.”

Bambenek pointed out that, ultimately, there is very little that can be done for supply chain risks aside from making sure detection is in place to notice lateral movement from a partner organization into your network.

“What we have seen, though, with the Kronos ransomware incident last week, for instance, is that business interruption can still happen because your providers may be unable to service you if they are down due to ransomware,” he added. “Ultimately, all that can be done is have a business continuity plan to either weather the outage or have alternative providers standing by.”

From Bambenek’s perspective, while the non-stop attacks clearly show organizations aren’t well prepared, that misses the point.

“The tech industry has developed tools businesses come to rely on that aren’t secure and those companies just outsource the risk of breach to their customers,” he said. “The entire technology ecosystem is all but designed to ensure this very outcome, as large organizations can invest in tools and people to protect themselves, but the overwhelming majority of organizations cannot.”

Nathan Eddy

Nathan Eddy is a Berlin-based filmmaker and freelance journalist specializing in enterprise IT and security issues, health care IT and architecture.

nathan-eddy has 217 posts and counting.See all posts by nathan-eddy