Recent anti-ransomware guidance from the Cybersecurity and Infrastructure Security Agency (CISA)1 and the White House2 cites multi-factor authentication (MFA) as a key part of an effective defense. The same measure has long been recommended by various security experts. Over the past few years, there have been shifts in ransomware attack methods and as a result, MFA plays a more important role than ever. In this article, we’ll describe how MFA works, where you should deploy MFA in your environment, and how that strategy can protect you against a successful ransomware attack.
First of all, too many businesses hold off on deploying MFA because it will “inconvenience” their users by requiring an extra step or two. This is a minor inconvenience relative to the protection it provides. Remember: Ransomware is a crime of opportunity. The attackers are looking for an easy payoff. Any additional roadblock you put in their way will prompt them to look elsewhere.
How does MFA work?
One of the most common ways hackers can gain access to your company’s data is by guessing weak passwords; stealing passwords via automated bots, phishing, and targeted attacks; or purchasing leaked credentials in bulk via the Dark Web. The goal of multi-factor authentication is to create additional layers of defense beyond simply using a password.
MFA requires two or more independent pieces of information to verify a user’s identity when they attempt to log in or access data. Examples of this information include what the user knows, such as a password; who the user is, verified by a fingerprint or facial recognition app on their device; and what the user has, such as their smartphone or a hardware token to which a one-time authorization code can be sent.
Whichever method you use, the extra steps add a valuable layer of protection against unauthorized access.
Who is vulnerable – and how?
So, why should you worry about ransomware at all? Large-scale attacks gain notoriety and make mainstream press headline news—most recently the Colonial Pipeline attack, and the Kaseya attack that is estimated to have impacted around 1,500 businesses through their MSPs. Such high-profile attacks are the exception—most businesses prefer to avoid the publicity and much ransomware goes unreported.
The fact is, most ransomware focuses on small- to medium-sized businesses. Approximately one-third of all ransomware targets businesses with between 11-100 employees, and another third targets businesses with 101 to 1,000 employees. Businesses with 10 employees or less figure in 5% of attacks.3
How do these attacks happen? They typically start with a single compromised system that provides the point of entry for the attack. The most common initial attack vectors are phishing attacks, exposed Remote Desktop Protocol (RDP) ports and associated credentials; and software vulnerabilities, including zero-day exploits as well as known vulnerabilities that have not been patched.
For the smallest companies, RDP compromise is by far the most common attack vector. RDP is easy to pull off, provides immediate access and control of a system, and information about exposed systems and leaked credentials is readily available on the dark web. These small businesses don’t have the means to pay large ransoms, so the threat actors that target them are looking for easy prey and a quick payoff. At companies with 11 employees and above, phishing attacks become more favored. The larger the company, the more likely it is that a ransomware attack begins with a phishing attempt that implants password-stealing malware or a remote-access trojan, or that tricks the user into exposing login credentials. The higher potential payoff justifies the extra work that goes into crafting a successful phishing attack.
MFA deployment strategies
Which networked resources should you protect with MFA? Here we summarize the recommendations given the current state of ransomware attack methods, which we’ll explain further in this article. Enable and deploy MFA to protect the following assets and logins:
1. All VPN logins. In the Colonial Pipeline attack, initial access was via a dormant VPN account that was unprotected with MFA. With VPN access, perpetrators gain the same access and privileges as a local user, giving them a point of entry for traversing the network and escalating privileges.
2. Web mailboxes, Microsoft 365 accounts, and any other cloud-based systems that aren’t protected with a VPN. Commandeered email accounts can be used to trick other users into giving up their credentials, and Office 365 documents can harbor macros. Any exposed system that can carry the credibility of an authorized user can be an attack vector for an imaginative and determined attacker.
3. Any access to RDP or other remote-desktop services. Disable RDP on systems that don’t need it. If you really need to use RDP, require access through a VPN protected with MFA. This is essential. Information about vulnerable systems including the login credentials associated with them are available on the dark web, and they’ve become a commodity. You need the additional authentication factor that MFA provides.
4. Administrative account logins. This includes the domain administrator accounts as well as other key administrative logins that control access to tools and systems. Even if the attacker manages to compromise administrative logins and passwords, the MFA requirement will still block access. This is critical for defending against sophisticated, targeted attacks as described below.
5. Backup systems, and access to systems, drives, or folders that contain the backup files. As we explain next, targeted ransomware attacks prioritize crippling any ability to recover from a backup.
Anatomy of an attack
The first generations of ransomware operated with a straightforward premise: gain a foothold, search local drives, networked drives, and file shares, and encrypt every file of value that could be found. Perpetrators found that in some cases, this blunt-instrument, encrypt-immediately approach had a significant drawback: with good backups and a little time, a business could be running again with no ransom payment required.
So the threat actors are now hedging their bets by extracting valuable data from the business before encrypting the files. In what is termed “double extortion,” they threaten to share sensitive information publicly. They’re combining the public embarrassment and potential legal liability of leaking the data, along with the potential loss of the encrypted data, to incentivize a payment. They even resort to triple extortion by informing third parties that might be impacted, hoping they will pressure the compromised victim to pay up. The most recent data indicates that 77% of ransomware attacks involve the threat to leak data.
After locating and siphoning off the valuable and sensitive data for extortion, the attacker traverses the network, looking for backups and system images and disabling, encrypting, or deleting them to thwart potential recovery. Access to administrative accounts allows endpoint protection and possibly other security measures to be disabled. Then, after identifying every possible system to infect, the attacker injects the ransomware which encrypts the data.
The importance of a multilayered defense
From our description of an attack, you can see all the places that MFA can interrupt the chain. But let’s be clear: MFA isn’t a cure-all. At ESET, we recommend it as part of a multilayered defense that includes endpoint protection software, cybersecurity education for employees, regular backups stored offsite or otherwise air-gapped from the network, and perhaps other measures as appropriate to the size, budget, and risk profile of your organization.
MFA is, however, easy to implement, less user-intrusive than popularly perceived, effective in thwarting a majority of attacks as executed using current methods, and a deterrent against all but the most determined ransomware perpetrators. It belongs in your arsenal as a key part of your overall defense.
1 Ransomware Guide, Cybersecurity and Infrastructure Security Agency (CISA) and the Multi-State Information Sharing and Analysis Center(MS-ISAC), September 2020
2 Memo to corporate executives and business leaders, Anne Neuberger, Deputy Assistant to the President and Deputy National Security Advisor for Cyber and Emerging Technology, June 2, 2021
3 Coveware is a “ransomware recovery first responder” and their services come into play after an attack has been executed. Because of this, they have unique, up-to-date data about ransomware attacks and some insight into the methods the attackers use; we acknowledge the use of their data in this article.