The ongoing spate of ransomware attacks just got real for a large portion of the United States. Mess with our gasoline prices and you now have our full attention.
The Colonial Pipeline company—which supplies over three million barrels of fuel a day to most of the Southern states and Atlantic Coast—was shut down by a ransomware attack conducted by Russian adversaries.
It is unclear whether the ransomware specifically targeted the company’s business systems and its operational technology (OT) that controls the flow of fuel through the pipeline. The full details are still unfolding, but given the severity of the attack, the company said it shut down its pipeline operations out of an abundance of caution.
The reality is that Colonial is just the latest victim in a continuing barrage of ransomware attacks that have cost companies millions, even billions.
According to a Wall Street Journal article, Beyond Colonial Pipeline, Ransomware Cyberattacks Are a Growing Threat, “While precise data on attacks are often difficult to come by, partly due to the desire for secrecy among both perpetrators and victims, ransomware victims paid hackers at least $350 million in cryptocurrency payments in 2020, a fourfold increase from the previous year, according to the blockchain analysis firm Chainalysis Inc. Other security experts and cybersecurity officials have estimated the overall toll on the U.S. economy registers in the billions annually.”
Below we break down how ransomware attacks unfold and what you can do about them. Spoiler alert: eliminating passwords can stop ransomware and other attacks!
How Do Ransomware Attacks Happen?
Ransomware attacks happen in multiple stages. In many instances, these stages are carried out by different, only transactionally related, threat actors.
Stage One of a Ransomware Attack
In the initial stage, attackers case systems the same way that a burglar would case a home or business. The main difference is that these operations are done on a massive scale. Adversaries use a wide range of tools to scan the internet and find weaknesses in a company’s network.
To be clear, this is not a “hack by hand” sort of arrangement. The tooling that modern-day adversaries use is highly automated and often hosted by an ecosystem of providers, just like SaaS software providers—but for the bad guys. These tools are super-efficient at rooting out vulnerabilities in a company’s network.
While there are many vulnerabilities that adversaries exploit to gain access in this first stage, the most common threat vector for ransomware attacks is RDP (remote desktop protocol). RDP and a host of other remote access tools enable administrators to access corporate systems remotely to do their work. But they also provide a convenient way into networks for ransomware attackers. In addition to RDP, remote access tools include VNC, TeamViewer, LogMeIn, and many others.
The most common vulnerability attackers exploit with remote access tools is the password. After scanning the network and finding network ports that are commonly used by various remote access tools, the adversaries attempt a brute force attack. These brute force attacks are highly automated and use tools that attempt to log in with millions of common passwords until it finds one that works.
Once the attacker finds a password that works, they either use it themselves to gain access and launch the second stage of the attack or, more commonly, sell access to the compromised network to other attackers on the dark web or even open web forums.
Stage Two of a Ransomware Attack
In the next stage, attackers enter the company’s network using credentials acquired in the first stage and install ransomware: specialized malware that further penetrates networks and encrypts files so that the company can not access them. Adversaries have a host of ransomware tools available to use for this purpose, including open-source software, ransomware software for sale, and even RaaS (ransomware as a service).
In the Colonial Pipeline attack, the Russian adversaries deployed DARKSIDE ransomware. According to a Mandiant Report, “DARKSIDE ransomware operates as a ransomware-as-a-service (RaaS) wherein profit is shared between its owners and partners, or affiliates, who provide access to organizations and deploy the ransomware. Mandiant currently tracks multiple threat clusters that have deployed this ransomware, which is consistent with multiple affiliates using DARKSIDE. These clusters demonstrated varying levels of technical sophistication throughout intrusions.”
The last stage is the payment stage, where attackers demand the ransom, typically paid in Bitcoin so that it cannot be traced.
What Are the Latest Ransomware Tactics?
Some ransomware actors are deploying a new tactic designed to “encourage” companies and other organizations to pay up.
Recently, adversaries not only encrypt files but exfiltrate them to their command and control servers so they can review them. They then threaten to release the files to the public to embarrass the organization and its executives, or to simply cost the company money by divulging its intellectual property.
In one recent example, the Babuk ransomware gang threatened the Washington, DC Police Department and then released documents after they failed to pay a $100K ransom. According to NBC, the initial release contained profiles on 22 police officers that included “Social Security numbers, dates of birth, results of psychological assessments, copies of driver’s licenses, fingerprints, polygraph test results, as well as residential, financial and marriage history.”
This tactic not only encourages payment but also thwarts one of the important countermeasures to ransomware: backups. If the organization has current backups of its files, then they can restore them and avoid the ransom. This restoration process is not without cost. But in cases where ransomware actors threaten to release sensitive information, the backup strategy does not solve the problem.
How Can Eliminating Passwords Help Prevent Ransomware?
There are a few key mitigation strategies that companies can employ. But at the very top of everyone’s list is implementing multi-factor authentication (MFA) or two-factor authentication (2FA)—especially for systems that provide remote access to IT and OT systems. This was the case with the US-CERT recommendation in response to the Colonial Pipeline.
This important mitigation is aimed squarely at stopping attackers from using stolen passwords to gain easy access to networks via remote access tools, thwarting their ability to install the ransomware software.
Unfortunately, not all MFA software is created equal.
Much of the legacy MFA methods still use passwords and rely on other “weak factors”, such as a one-time password sent over an insecure channel like SMS. We detailed the issues with traditional/legacy MFA in the blog How Your MFA Can Be Hacked (With Examples) and How Secure is Two-Factor Authentication?
The state of the art for MFA is passwordless MFA. Passwordless MFA removes the password entirely from the authentication transaction and does not rely on other weak factors.
As Ant Allan, VP Research at Gartner, recently noted when discussing the myth of strong passwords, “While it is important to highlight the weaknesses of passwords, any message that you can make passwords ‘strong’ is egregiously misleading. Given today’s enhanced threat landscape, relying on passwords alone is imprudent, even reckless. Adding an extra factor, such as a token, to enable multi-factor authentication (MFA) is a minimum good practice, but the top practice is to move to passwordless authentication. In short, the only strong password is no password.”
We agree with Ant and would love to show you how our passwordless MFA solution can not only stop ransomware and other password-based attacks in their tracks but how Beyond Identity can become an authentication solution that your users actually love! Don’t believe us? Listen to Mario Duarte, the VP of Security at high-flying cloud-based data analytics firm, Snowflake.
“There isn’t a day that we don’t receive an email from our employees raving about what Beyond Identity is doing for them!”