This article is more than 1 year old

Why ransomware attacks happen out of hours or during the holidays

Security teams have a choice to make – and doing nothing is not an option

Paid Feature Time waits for no one. But ransomware attackers do. Increasingly, cybercriminals are timing their attacks, detonating them when their victims are out of the office. This gives them the chance to inflict maximum damage, and explains why ransomware attacks surge on public holidays like Thanksgiving and Christmas. How do they do it, and what can under-staffed security teams do about it?

These timed attacks are depressingly frequent. The Toronto Transit Commission struggled to deal with the fallout from a ransomware attack that it detected just as the Halloween weekend began this year.

The attack took out driver communication systems and stopped people booking its van services online. It also took down the internal email service. The same weekend, the province of Newfoundland noticed an attack on its systems that knocked out systems across its regional health authorities. All non-emergency appointments would have to be rescheduled, executives said.

These out of hours attacks aren't just bad luck; they're designed that way. Online criminals might be jerks, but they're jerks with a strong work ethic. They're at their desks all the time, it seems, and especially when your security team isn't.

After-hours or post-log-off ransomware execution is an intentional strategy, which makes sense in the case of ransomware. This attack needs time to encrypt its targets, although attackers can cut down this time by finding and infecting the computers with access to the assets ahead of time. Executing when security teams are out or operating on skeleton staff makes them less likely to spot and contain an ongoing attack.

"As reduced staff wind down and employees mentally and physically log off from the workplace, there is a decline in the speed of detection and triage within an enterprise.

This allows threat actors to sneak in unnoticed," explains Max Heinemeyer. He is the director of threat hunting at Darktrace, a company created by former intelligence officials that uses AI to spot and stop attacks including ransomware automatically.

Holiday attacks on the rise

Companies are even more vulnerable during the holiday season, says Justin Fier, Director of Cyber Intelligence and Analytics, at Darktrace. “Based on what we’ve seen in previous years, holidays are consistent target periods for cyber-attackers. Interestingly, the largest rise in attempted ransomware attacks is between Christmas and New Year’s when attackers know there will be fewer eyeballs on screens defending against threats

The company this month revealed its security researchers had recorded a 30 per cent increase in the average number of attempted ransomware attacks globally over the holiday season in every consecutive year from 2018 to 2020 compared to the monthly average.

Darktrace researchers also observed a 70 per cent average increase in attempted ransomware attacks in November and December compared to January and February. Following a record number of ransomware attacks this year, the company expects the spike to be higher over the 2021 holiday period.

Just in time for the holidays

Already in the 2021 holiday season, Darktrace’s AI detected and autonomously stopped an in-progress, early-stage ransomware attack on a U.S. city before any data exfiltration or encryption could occur. The city’s security team had deployed an AI solution to combat multi-stage ransomware attacks, enabling them to stop the attackers at the earliest stage.

Another example of a holiday attack was the ransomware incident that targeted JBS S.A.. Ransomware attackers hit the company, which supplies a fifth of global meat production, on May 30, which is a Sunday. It also happens to be Memorial Day weekend in the US. The attack disrupted a fifth of US meat production.

Ransomware criminals use REvil to ambush Kaseya, a managed IT services company, on Friday July 2, 2pm local time. just in time for the July 4 long weekend. The attack may have come at an inconvenient time, but luckily that didn't stop the company from launching an incident response the same day and working the weekend to try and get ahead of the problem.

The attack knocked out several of Kaseya's customers, placing each of those at a disadvantage over the weekend, too. That's the big issue with supply chain attacks: the large number of downstream victims amplifies their effect. If one company is inconvenienced by a holiday attack, so is everyone else.

Less than two months later, the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA) released an advisory warning organizations to be especially wary of attacks over the holidays and weekends. The agency, along with the FBI, had seen a marked rise in ransomware attacks at these times, it said, warning companies that Labor Day was coming up.

SOCs are understaffed

Attackers might have the staff or automation techniques to work all hours, but your security operation center (SOC) doesn't. With SOCs either empty or understaffed out of hours, an out-of-hours attack has a better chance of succeeding. Without sophisticated monitoring tools, staff might not see a suspicious incident at all. Even if a monitoring tool brings one to their attention, they're unlikely to do much about it if they're overworked.

If there is a skeleton crew on shift, then who do you tell?

If things escalate and ransomware executes after hours, a company with an empty SOC won't notice it until it’s too late. If there is a skeleton crew on shift, then who do you tell? Ransomware response is the most time-critical process imaginable. Getting the response team out of bed at 3am on a Saturday won't be easy. Your response time and capabilities will be severely hindered.

Another danger of an out-of-hours or weekend attack is that it gives the attackers a chance to cover their tracks. As an attack plays out unhindered, companies risk losing more than their data. Valuable forensic evidence could also disappear, making it difficult to contain and recover from the incident later on and creating legal and regulatory hurdles.

Ransomware criminals do their best to live off the land, using everyday administrative tools to avoid raising suspicion, but they still need to connect with external command and control servers that could alert a savvy admin. Criminals can be more active while the admins are away for the weekend, conducting riskier tasks in time to put the system back to normal for Monday.

Increased dwell time

These attacks are stealthy ventures. Attackers are often in companies' systems before they launch an attack, but will wait weeks before pulling the trigger. When DarkSide criminals hit oil transportation company Colonial Pipeline, spiking gas prices along the eastern seaboard, they were already in the system and pilfered 100Gb of data from the company's networks on the Thursday, reports said. But it wasn't until Friday, after it had stolen the files, that the miscreants detonated the ransomware.

This tendency to dwell and wait is a sign of ransomware's ongoing evolution. Many earlier ransomware attacks would detonate immediately on infection, presumably in the hope that they could execute before the infection was found. These days, there is a rise in human operated attacks. As was the case in the Colonial Pipeline attack, criminals spend more time moving laterally under the radar, picking through victims' systems to discover the most valuable information before stealing it. This gives them the option for double extortion later.

One Darktrace client even told it of an attack that happened on Christmas Day. The attackers initially compromised the system on December 16, when they established a foothold on a desktop machine and then started connecting to domain controllers. Those controllers began making multiple HTTP connections to a malicious domain.

After hours on Christmas Eve, it became clear that the victim was on the attacker's naughty list.

The Darktrace system had alerted staff, but in the days before the holiday season they were busy and didn't have time to investigate the problem. It seemed to go away, but in reality the malware had simply gone into dormant mode.

After hours on Christmas Eve, it became clear that the victim was on the attacker's naughty list. An infected domain controller started making RDP connections to a file server. The file server started sending its contents to a domain called

There were no staff around to heed the Darktrace system's warnings. On Christmas Day, while the security team was at home opening presents, the ransomware was doing some wrapping of its own. Multiple infected devices were encrypting the already stolen data on the company's servers.

SOC around the clock

Having a system warn you urgently about an ongoing attack isn't useful if you don't have the staff to deal with it. Darktrace notes that the client attacked over Christmas would have been saved had it switched on the company's autonomous response system. Called Antigena, the technology mounts a proportional response to emerging events on the client's infrastructure.

This can go all the way from quarantining a phishing email through to blocking specific connections or even cutting off an infected system entirely from the network.

In the case of the Christmas Day intrusion outlined above, if the organizsation had Antigena’s response capability switched on, it would have taken targeted action early on, and the attack would never have progressed that far.

Many security pros don't trust automated tools to make the right decisions all the time. In those cases, the vendor also offers an augmented human monitoring service via its own SOC. The Darktrace system will alert its own staff to especially worrying incidents on a client's infrastructure, using a feature called proactive threat notifications (PTNs). Analysts in the SOC, which runs round the clock, can then investigate the issue themselves, keeping eyes on the threat at all times.

As cybercriminals get more sophisticated in their attack planning and timing, security teams face two choices: either staff up, complement internal staff with outsourced services, or refine their process through automation. Doing nothing is not an option - at least, not if you want your data exactly as you left it after the holidays.

Sponsored by Darktrace.

More about


Send us news