Ransomware had been a growing threat to global cybersecurity even before recent geopolitical events led the CISA to issue its Shields Up alert, encouraging all enterprises to adopt a heightened security posture. Ransomware attacks grew by 105% in 2021 and have risen by 232% since 2019, with some verticals such as government (+1,885%) and healthcare (+755%) being particularly highly targeted.
In recent years, organizations of all sizes have been crippled by ransomware, including major businesses, entire health systems (the UK’s NHS) and even whole cities (Baltimore, MD among others). A successful ransomware attack negatively impacts an organization on multiple fronts, including:
- Temporary and permanent loss of data
- Theft and dissemination of private records
- Direct costs of paying ransom
- Business shutdown involving lost sales, missed contract deadlines, etc.
- Costs of IT clean-up operation
- Damaged consumer trust
- Possible regulatory fines
With such major consequences from ransomware attacks, it’s critical that organizations recognize how they occur and how to prevent ransomware attacks in the first place.
How Ransomware Attacks Are Deployed
Hackers use two primary vectors to launch a ransomware attack on an organization. Understanding these attack vectors is key to understanding how to prevent ransomware attacks. In the first method, attackers leverage security vulnerabilities to gain entry into a system and eventually deploy ransomware. This could be an unpatched software vulnerability, an un-updated system (this is how the infamous WannaCry ransomware wreaked such havoc) or one that has stopped being supported altogether. Many businesses are still running machines on the discontinued Windows 7 OS, putting them at serious risk when Microsoft stops its extended security update (ESU) program at the beginning of 2023.
Unfortunately, prevention of these types of attacks isn’t always in your organization’s control, as the attack could exploit a new zero-day flaw that your vendor doesn’t know about and which cannot be detected by security measures such as antivirus or EDR tools. This was the case for the recent Kaseya attacks, where the notorious REvil ransomware group used a vulnerability in a Kaseya remote computer management tool to launch an attack that affected thousands of organizations across the globe.
The second form (and by far the most common route of access for ransomware) uses compromised passwords or credentials. Again, knowledge plays a critical part in ransomware prevention, so let’s look at the main ways stolen or cracked passwords result in successful attacks:
- Brute force and credential stuffing: Credential stuffing attacks take lists of stolen passwords from previous data breaches and try them successively until they gain entry into a system using. They frequently use automated tools and botnets that let them evade blocking mechanisms intended to prevent multiple failed login attempts. After gaining access, the attacker moves laterally in the network and escalates privileges until they are able to deploy the ransomware payload.
- Phishing: Finding exploits or vulnerabilities hidden in code can be difficult and time-consuming, but running a reverse proxy on a website, emailing a link and getting a user to hand over their password isn’t. Phishing attacks can be spammed to many people or more directly focused on high value and privileged access targets (spear-phishing and whale-phishing). Once the attacker has the compromised login credentials, they can access the system as an authenticated user and, depending on the user’s level of access, begin uploading malware.
- RDP Attacks: The significant shift to home-working since the beginning of the pandemic has led to a corresponding focus by attackers on Remote Desktop Protocols (RDP), i.e., what organizations use to create a “home network” environment for remote workers. Different RDP systems may have weak password protocols, which can be brute-forced, or attackers can use phishing and social engineering to prey on home workers’ relaxed security approach to steal passwords, infiltrate the system and initiate a ransomware attack.
How to Prevent Ransomware Attacks
Ransomware prevention requires a concerted effort across the whole spectrum of cybersecurity and users. Some of the most basic protection strategies involve effective cyber hygiene, such as:
- Keeping software and hardware drivers patched: New vulnerabilities are discovered all the time, so regularly patching software is essential for ransomware prevention.
- Update systems regularly: Attackers can identify the most vulnerable systems to narrow down their attack vectors and increase their chances of success. To prevent this, keep all systems up-to-date.
- Disabling ports and protocols: Anything that’s not essential for business shouldn’t be open, as attackers can sniff and exploit vulnerable entry points.
- Phishing education: Ensure that all employees know how to spot suspicious emails or contacts.
Deploy Strong Multi-Factor Authentication
Given that the majority of ransomware attacks originate from poor password and authentication security, the most important element of any ransomware prevention plan is implementing strong multi-factor authentication (MFA). The massive Colonial Pipeline ransomware attack, which affected 45% of the East Coast’s fuel supply and shut down thousands of gas stations, began from a breached password for an account without MFA in place. For effective ransomware prevention, your MFA should be phishing resistant, especially for high-privilege and administrator accounts, which have the potential to significantly elevate an attack if compromised.
Ransomware Prevention with Phishing-Resistant MFA
Phishing-resistant MFA is critical for ransomware prevention as most MFA methods can be defeated by modern attacks. One-time passwords (OTPs), SMS and push notification authentication methods can all be circumvented by phishing, MitM (man-in-the-middle) or push attacks (or some combination of all three). Today there are more than 1,200 MitM phishing toolkits available that let cybercriminals bypass MFA.
Phishing-resistant MFA is fully passwordless and based on public key cryptography; it does not share credentials or secrets at any point in the authentication process. Users confirm their identity through secure on-device methods such as biometric sensors or a decentralized PIN. Essential to ransomware prevention is the fact that it does not use OTP codes, SMS tokens or any type of phishable credential.
Mitigation Measures if Ransomware Prevention Strategies Fail
Even though phishing-resistant PMFA greatly reduces the potential for successful ransomware attacks, there is no such thing as 100% protection. There will always be a new zero-day vulnerability discovered by hackers, configuration errors made by even the most diligent IT teams or a malicious insider that slips in a threat undetected. However, you can take steps to minimize damage and improve recovery speeds after an attack. These include:
- Regularly backing up data to unconnected or air-gapped storage
- Consistent staff education on how to spot ransomware attacks
- Training on reactions, such as disconnecting the device from the network and contacting IT
- Establishing an incident response plan, working with a professional incident response firm if your organization lacks the internal resources to understand the attack and determine needed mitigation steps.
HYPR Phishing-Resistant Passwordless MFA (PMFA)
The increase in volume and severity of ransomware attacks makes ransomware prevention a security priority for industries across the board. has become critical for effective cybersecurity. By implementing phishing-resistant passwordless MFA, organizations can wipe out the vast majority of its ransomware attack surface.
HYPR’s PMFA eliminates the trade-off between operational security and user experience by delivering the highest level of authentication security, removing passwords and, importantly, creating a seamless authentication process that saves time, prevents frustration and avoids users taking risky “shortcuts.” By completely eliminating shared secrets as an authentication factor and turning a user’s personal device into a secure FIDO token, phishing-originated ransomware attacks can be stopped at source.
To see how HYPR’s phishing-resistant PMFA can elevate your ransomware protection efforts, talk to our team.
Want to learn more about passwordless security in general? Download the Passwordless 101 guide.