As the holiday season approaches, security leaders wanting to give their teams some much deserved extra time off may get blindsided – ransomware attacks during weekends and holidays prove to be more costly than those that take place during normal weekdays.

According to the latest holiday ransomware study from Cybereason – Organisations at Risk 2022: Ransomware Attackers Don’t Take Holidays – ransomware attacks that take place on weekends and holidays continue to catch many organisations off-guard, resulting in longer investigation times and causing greater damage.

The global study, based on a survey of more than 1 200 cybersecurity professionals, found that attacks occurring on weekends and holidays result in higher costs and greater revenue losses for organisations than attacks that take place on weekdays. More than one-third of respondents who experienced a ransomware attack on a weekend or holiday said their organisations lost more money as a result, a 19% increase over 2021.

The numbers ticked up to 42% in the education sector and 48% in the travel and transportation industry. Overall, ransomware attacks make up nearly half (49%) of all security incidents that SOC teams are most frequently trying to resolve.

Last year’s study suggested that the increase in cost is related to cybersecurity staffing levels on weekends and holidays, and this year’s results continue to bear that out. Four-in-ten (44%) respondents indicated they reduce security staff by as much as 70% on weekends and holidays. One-fifth (21%) noted that their organisations operate a skeleton crew during those times, cutting staff by as much as 90%. Conversely, just 7% of respondents indicated they were 80% to 100% staffed on weekends and holidays.

Weekend and holiday staffing levels, by country:

• South Africa: 73% typically staff at 50% or less

• Germany: 91% typically staff at 50% or less

• UAE: 75% typically staff at 50% or less

• France: 72% typically staff at 50% or less

• Singapore: 71% typically staff at 50% or less

• Italy: 65% typically staff at 50% or less

• US: 50% typically staff at 50% or less

Weekend and holiday staffing levels, by company revenue (USD):

• Under 100,000: 50% typically staff at 50% or less

• 100,000 – 999K: 58% typically staff at 50% or less

• 1M – 9M: 69% typically staff at 50% or less

• 10M to 49M: 65% typically staff at 50% or less

• 50M to 99M: 61% typically staff at 50% or less

• 100M to 499M: 73% typically staff at 50% or less

• 500M+: 68% typically staff at 50% or less

Impact on attack response

When organisations operate with fewer cybersecurity resources during off-peak business hours, ransomware attacks take longer to assess and remediate. One-third (34%) of respondents whose organisations had been hit on a weekend or holiday said it took them longer to assemble their incident response team. A little more than one-third (37%) said it took them longer to assess the scope of the attack, and 36% said it took them longer to stop and recover from the attack.

The numbers were higher in the US, where 44% of respondents said it took them longer to assess and respond to a weekend/holiday ransomware attack. This marked a 19% increase over US results from last year’s survey.

The numbers were also higher at larger organisations with more than 2 000 employees, where 43% said it took longer to assemble incident responders, 48% said it took longer to assess the attack scope, 40% said it took them longer to stop the attack, and 36% said it took them longer to recover.

Beyond financial damage

The damage caused by weekend and holiday ransomware attacks is not just financial – it’s personal too. These attacks disrupt people’s lives outside of work, interfere with their family time, lead to burnout, and prompt some cybersecurity professionals to leave the field altogether, which only exacerbates the cybersecurity talent shortage that compels companies to reduce weekend and holiday staff in the first place.

Indeed, 88% of respondents said they had missed out on either a holiday celebration or weekend event due to a ransomware attack. These numbers were higher in the US, Germany, and in the financial services industry, where nine out of ten respondents (91%, 95%, and 95%, respectively) said the same.

No rest for the weary: Cybersecurity is a 24x7x365 job

The survey results highlight the fact that traditional Monday through Friday staffing models are out of step with cyberthreats and leave companies vulnerable the rest of the week. Attackers, of course, take advantage of the fact that companies’ human defences aren’t nearly as robust during these off-peak times.

Given that both this year’s and last year’s survey results demonstrate a direct correlation between cybersecurity staffing levels and attack impact, companies would be wise to consider the following recommendations:

Explore different staffing models for SOC analysts and incident responders. Security leaders can look to hospital emergency rooms as a model for their SOC teams. They also need to identify what level of weekend/holiday staffing is optimal: in other words, what’s the least amount of coverage they can get away with and still reduce risk? Also ensure key players can be reached any time of day and have a specific response plan in place and practiced for weekend/holiday attacks.

Pursue a managed detection and response (MDR) strategy. MDR providers deliver threat monitoring, detection, and incident response capabilities as a service to customers on a 24×7 basis. While particularly helpful for smaller organisations that lack the budget or staff to build their own internal SOC, many large organisations also rely on MDR providers to extend or expand their existing SOCs. Organisations considering MDR need to select their provider carefully: consider what solutions the provider uses to facilitate detection and response, and what facets of the buyer’s IT infrastructure the provider will be able to monitor.

Consider locking down privileged accounts on weekends and holidays. The usual path attackers take to propagate ransomware across a network is to escalate privileges to the admin domain level and then deploy the ransomware. Those highest privilege accounts are rarely required during weekends and holiday breaks. Security teams should create highly secured, emergency-only accounts in the active directory that are only used when other operational accounts are temporarily disabled as a precaution, or inaccessible during a ransomware attack.

Ensure clear isolation practices are in place. This will prevent attackers from making any further ingress on the network and from spreading the ransomware to other devices. Teams should be proficient at disconnecting a host, locking down a compromised account, and blocking malicious domains. Testing these procedures with scheduled or unscheduled drills at least every quarter is recommended to make sure all personnel and procedures work as expected.

Make prevention and detection technologies work harder. The survey results suggest that respondents’ existing ransomware prevention and detection technologies may be inadequate: All respondents had experienced a ransomware attack despite running some combination of traditional antivirus, next-gen antivirus (NGAV), or endpoint detection and response EDR products. Notably, more companies reported running traditional antivirus solutions this year (53%) versus last year (46%). It’s not surprising that companies relying on traditional antivirus tools would be more vulnerable to ransomware.

After all, the weaknesses of traditional, signature-based antivirus products in preventing ransomware attacks are well established. What’s more surprising is that the number of respondents using EDR had decreased from last year: this year, 54% of respondents indicated they were not using EDR, compared with 36% in 2021. Regardless, it may be time for companies to switch to behaviour-based approaches to ransomware protection. Behaviour-based approaches use machine learning to identify activities leading up to a ransomware attack, allowing companies to detect these attacks in their earliest stages before ransomware is detonated on an endpoint.

Shifting staffing, moving to MDR, and switching to behaviour-based technologies are far more effective and sustainable approaches to combating ransomware than some of the approaches survey respondents said their organisations were taking to combat the heightened threat. For example, 27% of respondents said their organisations had set up crypto wallets to pay adversaries. Another 27% said their organisations were learning to negotiate with ransomware actors. Research shows that paying ransomware actors only emboldens them to strike again.

You’ve been warned!

With the holiday season fast approaching, security leaders may want to rethink SOC staffing decisions over the next several weeks and make sure their teams are prepared for a worst-case scenario. Security teams need to know how they’re going to mobilise, communicate with one another, work with vendors, and respond to an attack in the event one takes place.

Two years in a row, the research has demonstrated how unprepared most companies are for ransomware attacks on holidays and weekends. It’s time to change the game.