Why Ransomware Has Become a Major Identity Threat

Ransomware continues to plague organizations around the world, with more than 493.3 million attacks detected in 2022. Despite a proliferation of products in the security stack, companies keep falling victim to these attacks, paying an average of $812,360 in ransom demands. And the total cost to an organization is estimated be $4.5 million, due to the length of time involved in detecting and remediating these breaches.

This article explores why ransomware attacks have increased so dramatically, how identity protection blind spots play a fundamental role in these attacks, and what organizations can do to address those blind spots and stop ransomware altogether.

How Ransomware Evolved into a Critical Business Risk

While ransomware is hardly a new phenomenon – the first recorded attack dates back to 1989 – it is only in the last few years that it’s become such a worldwide crisis. This is because attackers have evolved their techniques at a much faster pace than organizations can keep up. Up until about ten years ago, for example, threat actors only had the ability to infect a single machine at a time with ransomware. This was a disaster for the user as well as an issue for the security team, but ultimately did not represent an organizational risk.

But with the appearance of several now-infamous cyberattacks in 2017 (including WannaCry and NotPetya), cybercriminals showed that they could couple an encryption payload with an automated propagation mechanism. This meant attackers were now using a new technique that allowed them to move across an environment and thus attack not just one machine at a time but infect an entire organization at once.

A recent high-profile example of this was the Colonial Pipeline attack in May of 2021, which shut down a key fuel artery on the US East Coast leading to fuel shortages and the declaration of an emergency by the president. That year, in fact, attacks were up 78% from 2020 with 66% of all global organizations being affected by ransomware.

The Impact of Ransomware is Amplified by Lateral Movement

To appreciate why these attacks have become so widespread – and so successful – it’s important to understand the concept of lateral movement. According to the MITRE corporation, lateral movement is defined as a series of techniques that adversaries use to expand their presence in an environment following an initial compromise.

This ability to conduct lateral movement has fueled today’s insatiable appetite for ransomware, since a single point of compromise can now yield a potentially huge payoff for attackers. In fact, lateral movement is now being used in 82% of all ransomware attacks. This is a disturbing development, since only a few years ago this ability was confined to highly sophisticated cybercriminals, such as state-sponsored hacking groups and foreign intelligence agencies.

So let’s take a closer look at what’s actually going on here.

Lateral Movement Attacks Are Fueled by Compromised Credentials

According to some estimates, there are 24.6 billion stolen credentials (i.e. username-password combinations) available for sale on the Dark Web. This represents a treasure trove for opportunistic threat actors looking to engage in ransomware extortion. Because with these credentials in hand, attackers know that by using tried-and-true techniques like phishing, smishing, or social engineering they can eventually get initial access to an organization’s environment and then run rampant.

The reason is because of a fundamental flaw in the identity infrastructure itself. Once attackers gain access to an initial machine, they need only to present the compromised credentials to the identity provider responsible for user authentication – most likely Microsoft Active Directory (AD), which is used by 90% of the Global Fortune 1000 – and the lateral movement can begin.

This is why lateral movement is such a serious identity threat, because of the availability of stolen user credentials as well as attackers’ ability to extract credentials from compromised machines or by intercepting network traffic, all of which enable cybercriminals to authenticate to multiple machines in an environment, spread a ransomware payload across an entire network, and encrypt multiple machines simultaneously.

Ransomware Attacks Are Increasing Because of Two Blind Spots

This brings us to an important point, because the security measure known as multifactor authentication (MFA) is known to be able to prevent 99.9% of all cyberattacks. Yet if this is case, why are these ransomware attacks continuing unabated?

The reasons are alarmingly simple.

MFA Can’t Be Enforced Everywhere
While MFA is available for SaaS applications, cloud workloads, and VPN access it can’t be enforced on common command-line access tools such as PsExec, PowerShell, and WMI. This is because the authentication protocols that AD uses – specifically Kerberos and NTLM – do not support MFA. These command-line tools are used regularly by network admins to gain remote access to machines across their network, but they’re also used by cybercriminals who know they can leverage them for lateral movement using stolen credentials without being impeded by MFA. This is a critical blind spot.

Protecting Service Accounts is a Challenge
The second blind spot has to do with non-human service accounts (also known as bots), which are machine-to-machine accounts used to automatically perform important functions in a network environment, such as updating software and conducting scans like health checks. The problem is that most organizations don’t know how many of these accounts they have or what each of them are doing (i.e., which sources and destinations the various service accounts are authenticating to).

The reason is because there is no diagnostic tool that can discover all of these accounts in an environment, which is alarming since many organizations have thousands of them. Scarier still is the fact that attackers relentlessly seek to compromise service accounts, which often have high privileges, so that they can conduct lateral movement virtually undetected and thus access multiple machines and systems easily.

Many organizations have in place a Privileged Access Management (PAM) solution to keep user accounts secure, but there are limitations when it comes to service accounts. This is because service account access is usually performed by executing scripts in which their credentials are hard-coded. That means these passwords can’t be rotated automatically by a PAM without causing problems (e.g., a service account no longer able to log in to its destination machine thus causing a critical process to break).

How Silverfort Addresses Security Blind Spots To Stop Ransomware

The Silverfort Unified Identity Protection platform was created to address these blind spots. By focusing on the place where user authentication takes place (i.e., within the identity provider), Silverfort can extend the real-time prevention of identity threats to all resources and  prevent the spread of ransomware.

The way it works is that AD forwards all authentications and access attempts to Silverfort for a “second opinion” before any access decision is made. Once Silverfort receives the request, it analyzes it against its risk engine and configured policies to determine whether an additional security verification – specifically MFA – is needed. That means Silverfort is effectively protocol agnostic: As long as a user is authenticating to AD, that request can be analyzed and evaluated whether the protocol used is Kerberos, NTLM, or LDAP.

The result is that Silverfort can enforce MFA on any resource (either through its own service or via integrations with any MFA provider) including the command-line interfaces that attackers constantly use for lateral movement. This addresses the first blind spot that leads to ransomware spread.

Silverfort can also discover and protect all service accounts. Because the platform can see all authentications and access requests, it can quickly identify any accounts that display repetitive, machine-line behavior and label them as service accounts. Furthermore, Silverfort can provide “virtual fencing” for these accounts by allowing them to connect only to certain specified machines, triggering MFA (or even blocking access) if these accounts display behavior that deviates from their normal activity. This means any attacker who has compromised a service account would be stopped from performing lateral movement.

All of this is done by configuring specific access policies in the Silverfort platform, which is an easy and intuitive process. Policies to enforce MFA on hard-to-protect resources like command-line access, file shares, and legacy applications can be put in place immediately, and many organizations find they’re able to discover and protect all service accounts within weeks and without any business disruption.

Contact us today for a demo and see how Silverfort can help your organization stop ransomware.