We all hear and read about it: Ransomware, an ever-evolving form of malware designed to encrypt files on devices, making them unusable for individuals, organizations, or systems depending on them.
The average ransom payment in Q3 2020 was 200.000 $, where the ransomware "Sodinobiski" currently has the largest market share. When looking at the cost of a ransom situation, the average cost is 10 times higher than ransom paid, according to Sophos research. The research also indicates that only one in 10 companies that paid the ransom got all of their data back.
It is important to remember that ransomware is a crime of opportunity. The attackers are looking for an easy payoff. Any additional roadblock you put in their way will prompt them to look elsewhere.
Am I at risk?
Most ransomware attacks require the attacker to access your network before they can encrypt your files. If attackers can’t get past identity safeguards, they literally can’t get anywhere.
It is a fact that most ransomware focuses on small- to medium-sized businesses. About a third of all ransomware targets businesses with between 11-100 employees, and another third targets businesses with 101 to 1,000 employees. Small businesses with less than 10 employees represent 5% of the attacks.
So don't think that it´s only large companies that are targeted, you simply don't hear that much about the smaller ones.
Many organizations today are using Software as a Service (SaaS) providing functions and applications to their users. The modern attacker is doing just the same, only with a different name.
Ransomware as a Service (RaaS) is similar to SaaS, where you can rent ransomware and choose configurations that fit the "targets and attack vectors". And as in the normal software service business, the RaaS is based on monthly payments.
Can this happen?
One of the most common ways attackers can gain access to your company’s data is by guessing weak passwords, stealing passwords via automated bots, phishing, and targeted attacks, or purchasing leaked credentials in bulk.
In most cases, it starts with a single compromised system that is attacked and used as the entry point. One of the goals is to gain a foothold, search local drives, networked drives and file shares, with the ability to encrypt every file of value that could be found.
Small companies experience Remote Desktop Protocol (RDP), the most common attack vector. RDP is easy to pull off as it provides immediate access and control of a system. Information about exposed systems and leaked credentials are readily available on the dark web. Small businesses can’t afford to pay large ransoms, and the attackers are looking for easy prey and quick payoff. Medium-size companies experience phishing attacks as the most common method.
For larger companies, a ransomware attack likely begins with a phishing attempt that implants password-stealing malware, a remote-access trojan, or tricking the user into exposing login credentials. The higher potential payoff justifies the extra work that goes into crafting a successful phishing attack.
Many times a ransomware attack also results in leakage of data, with the attacker revealing information to speed up the payment process.
Does MFA help?
By using MFA for user authentication, it requires two or more independent pieces of information to verify a user’s identity when they attempt to log in or access data.
Without MFA, an attacker only needs compromised user credentials to gain system access (single-factor authentication).
With MFA, an attacker needs more than just a username and password. With a key stored on a smart card or token, for example, the effort has increased a lot and the chance to succeed has dropped close to zero.
Multi-factor authentication has been one of the most important measures recommended by various security experts for many years. By deploying MFA in your environment, you have taken the first and really important step towards the strategy of protecting your organization against a successful ransomware attack.
Many businesses are waiting to deploy MFA because it is considered “inconvenient” for their users. This is because it requires an extra step or two, and users are not looking at the benefits MFA can bring on top of the enhanced security. Functions such as digital signatures, single-sign-on, e-mail encryption, self-service, and others are functions that can make life easier for a user.
However, the users of today want to have higher security and more user-friendly functions. The technology is available, it is just a matter of making the decision to use the technology.
Today, when your work life and private life are coming closer together through working from remote work, the chance that an incident might affect both work and private life for individuals is increasing.
The American Cyber Security & Infrastructure Agency publishes a Ransomware Guide with best practices and where they recommend employing Multi-Factor Authentication (MFA) for all your services.
Using a strategy that enables a Zero Trust security model, where you only trust identities that have been authenticated based on multi-factor authentication to all resources is needed.
These steps will increase security:
- Block all access to resources except authenticated and authorized traffic
- Implement multi-factor authentication for users
- A secure on-boarding and off-boarding process
- Access control for all systems, based on SAML, Open-ID connect or similar
A mindset that follows "don't trust anyone or anything" before it is securely identified, is a healthy IT strategy.
With Smart ID Digital ID management, Nexus, an IN Groupe brand, removes the complexity and lets you manage the lifecycle of all digital identities in one system, with the help of self-service and automated processes.
Smart ID Digital ID management has the following key features:
- Lifecycle management of smart cards and virtual smart cards
- Mobile app for great user experience using virtual smart cards
- Best-practice processes for standard use cases
- Self-service and automated workflows
- Synchronization of data with a directory service
- Integration of certificate authorities (CA) from multiple vendors