How does MFA help prevent ransomware?

Ransomware attacks against an organization rely heavily on the scammer's ability to steal the credentials of those accounts.

Because the attacks orchestrated require some degree of access to a computer, account, or network system, one of the best defense measures against ransomware is multi-factor authentication (MFA).

While the cost of all cyber crime is scaling up, with estimated damages due to incidents sitting at around $6 trillion for 2021, one particular sub-group within the cyber crime industry has really taken a toll on organizations.

This sub-group is ransomware, which takes multiple tactics of a cyber attack like malware, extortion, and denial of access, and wraps it into one, cohesive strike against an organization causing detrimental harm.

The high level of sophistication of a ransomware attack is the reason that ransom totals are expected to hit $20 billion by the end of 2021.

The way ransomware is deployed and how it functions can vary from attack to attack. The scammer may use cryptography or system access denial as a way to instigate financial extortion. There may also be multiple layers of ransom demands (double extortion) as a persuasion measure for the victim to pay.

A victim (typically a negligent employee) downloads the malware from a phishing email (or website) which causes the victim’s data and files to be encrypted.

There is a message that pops up that explains that only upon paying the cyber scammer, usually by crypto currency, can the victim receive the private decryption key to access their data again.

Like other viruses, this one can spread from the entry point computer to other devices and drives on the network and sometimes even within cloud drives, compromising the entire organization.

A victim (typically a negligent employee) submits their credentials in a phishing scam to the scammer.

The scammer, once the credentials are used to log into a system, disables all functions of the victim’s computer except for a pop-up window showing the ransom demand.

Only upon paying the ransom will the scammer unlock the computer functions.

An organization falls victim to a crypto-ransomware attack.

In addition to the encryption of the organization's data and files, the scammer makes a threat, using a time limit, that the data will be deleted, sold on the black market or fully publicized if payment is not completed by that countdown.

Much of the success of ransomware against an organization is contingent on the scammer's ability to acquire the credentials of accounts within that organization. This usually is done using social engineering methods such as credentials harvesting phishing scams.

Once acquired, they can attempt to deploy a locker ransomware attack on a device or try to impersonate trusting members of an organization to send downloadable malware to other employees for a crypto ransomware attack.

Since these attacks require access to a computer, account, or network system, multi-factor authentication (MFA) is one of the best ways to defend against ransomware.

Multi-factor authentication (MFA), by default, can decrease the risk of ransomware since it requires additional authentication, through another password, device or biometric indicator. This means that even if a scammer were to have the credentials to access a user account or network system, they would need that additional authenticator to gain access and begin the ransomware deployment process.

UserLock can enforce MFA requirements on all Windows Active Directory (AD) user logins. Once enforced, users will be required to use one of UserLock's supported MFA methods: push notifications, authenticator applications, or a programmable hardware device such as YubiKey and Token2.

• The MFA enforcement features of UserLock are not restricted by connection type.

  System administrators can require MFA for all users, even those remotely. This is especially important as cyber criminals who deploy ransomware are well-versed in the security vulnerabilities of remote connections. So if they are aware of an organization that's utilizing a work-from-home or hybrid model which requires remote connectivity, that organization is likely to become a target.

• UserLock can extend its authentication enforcement capabilities even further by protecting against different “offline access” types.

  MFA can be required for users who work remotely and are not connected to the corporate network, as well as those who are on-site but without internet access. In these situations, while ransomware likely won’t be able to spread throughout the other devices due to non-connectivity to the corporate network, ransomware can still compromise that specific user’s device which could still hold sensitive data, making MFA still useful and necessary for security.

• There’s also circumstantial MFA customization that allows administrators to decide which login scenarios will require MFA.

  For instance, MFA conditions can be set as to when there will be MFA requirements. System administrators have the option to require MFA on every login, only on the first login, a set frequency of every X number of days, as well as everytime the login is from a new IP address. Regardless of when MFA is prompted, if a scammer has login credentials but a company is using the UserLock MFA circumstantial management, their ransomware plot can be foiled as at some point, they will need the additional authentication to initiate their ransomware.

Enforcement of MFA works best to protect against ransomware when it also includes a system of monitoring MFA activity. UserLock allows you to track MFA events providing data on successful MFA logins, cancelled MFA attempts, failed MFA attempts, MFA where user help is requested, and skipped MFA configuration.

System administrators are alerted in real-time for when users need help with their MFA to either reset the MFA key or disable MFA for that particular login. Depending on the contextual restrictions set for system access, a system administrator may even want to receive notifications in the event of a failed MFA attempt to track the incubation of a potential ransomware attack.

For example, let's say that a cyber criminal obtained multiple sets of a user’s credentials through a social engineering plot like a phishing email or spoofed login website page. Then, they tried to connect to the corporate network through a VPN using those credentials, only to find that MFA was prompted at every login. They tried to guess the six-digit token password but failed, which alerted the system administrator of a failed MFA attempt.

Immediately upon discovery, the system administrator has the option to reset the MFA once just in case it was the employee. Then on the second failed attempt, deny that session any access, inform the employee that their credentials have been compromised, and require password resets for all of their accounts.