Protecting against the seasonal spike in ransomware attacks: Lessons from Home Alone

With Christmas already past and the New Year approaching, people around the globe are spending time with their families, watching holiday movies like Home Alone. Needless to remind you that this film tells us about a little, but very brave boy, called Kevin, who outsmarts burglars and sets unexpected traps to protect his home. Unfortunately, not all DFIR teams will have the luxury of spending the holidays at home. Group-IB’s decades of incident response experience demonstrates that ransomware groups see the holiday season as a primetime to attack. Criminals take advantage of understaffed security teams during vacations, inability to mobilize resources quickly in the event of a cybersecurity incident, and employees being more easily distracted. We have compiled a list of essential tips to protect your home and digital infrastructure from cybercriminals who are far more skilled and dangerous than Home Alone’s Harry and Marv, also known as the Sticky Bandits.

Phishing emails: The unlocked front door

In Home Alone, Kevin knows that burglars may gain entry through the front door. Similarly, phishing emails are cybercriminals’ preferred method of attack during the holidays.

Every holiday, especially Christmas and New Year’s, Group-IB’s Threat Intelligence system detects a major increase in phishing emails. Hackers find this method the easiest way to gain initial access, so we expect that they will continue to use it this year.

To protect against phishing attacks, it is enough to avoid opening suspicious emails. But this is easier said than done: distinguishing between malicious and benign messages can be tricky. We recommend that companies implement basic cybersecurity training for all staff to inform them about basic rules, such as:

1. Check the sender’s address for any discrepancies.
2. Be cautious of emails lacking personalized greetings.
3. Watch out for grammatical and spelling errors.
4. Beware of urgent emails demanding immediate action.
5. Avoid clicking on unknown links or opening suspicious attachments.
6. Be skeptical of requests for confidential information.
7. If in doubt, contact the companies you are approached by through their official resources.

Vulnerable external services: Open windows

Similar to how Kevin was wary of leaving open windows inviting burglars, outdated external services (such as RDP and VPN) are invitations to cybercriminals. While it may be out of the question to complete a penetration testing project during the holidays, it is still worth considering human factors. Ensure that your system administrators haven’t established insecure remote work tools for convenience. Attack surface management systems can perform checks specifically for these vulnerabilities and generate results within a handful of hours, if not minutes.

Additionally, we recommend checking server versions for vulnerabilities before the holidays. It is better to address any vulnerabilities now rather than discover that your data has been stolen after you are back to work.

Password reuse: Unsecured backdoors

In the film, the burglars sought hidden keys to gain entry. In reality, hackers may possess metaphorical keys to your infrastructure through password reuse on different websites. Just between us: is it true that you use the same password for a number of different accounts? This common practice, along with cybercriminals’ widespread use of malware known as information stealers that they leverage to extract credentials from compromised systems and capitalize on them, poses serious risks to your security.

Protecting against this threat within a tight timeframe is challenging. You would need to implement a threat intelligence solution, obtain information about compromised account details, and promptly block such accounts. However, like Kevin, you can prepare by changing passwords for critical accounts, such as system administrator accounts or accounts with elevated privileges.

Data backups: The emergency escape plan

Just as Kevin had an escape plan, so should you. Regular isolated backups of critical data are your escape route in case a ransomware attack occurs. Ensuring these backups remain offline (or “cold”) and inaccessible for modification is akin to having a secret escape tunnel that burglars cannot locate.

By applying these lessons delivered by both the brave Kevin and Group-IB’s DFIR team, you will strengthen your defense against ransomware attacks during the holiday season. Vigilant practices, staff training, vulnerability checks, password management, and secure data backups will protect your home and infrastructure. Stay on guard and have a safe and secure holiday season!