The U.S. federal government periodically dispenses advice about how individuals and businesses can keep their data protected and remain aware of cybersecurity threats. Recently, the U.S. Joint Ransomware Task Force (JRTF), an interagency co-chaired by the Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI), issued a “#StopRansomware Guide” for organizations at risk of being targeted by ransomware attacks.
Authored by CISA, the FBI, and the National Security Agency (NSA), the #StopRansomware Guide “provides guidance for all organizations to reduce the impact and likelihood of ransomware incidents and data extortion, including best practices to prepare for, prevent, and mitigate these incidents.”
The #StopRansomware Guide is a necessary response to a real threat to Americans and U.S. businesses. One need only look to the Palo Alto Networks Ransomware and Extortion Report and the State of Ransomware Report from Sophos (both cited further below) for more evidence of the damage caused by ransomware.
Businesses interested in staving off and mitigating the damage from ransomware attacks should consider reading the guide and reviewing both reports. This blog is focused on the role of password managers and passwordless technologies in protecting credentials.
For background, the #StopRansomware Guide defines ransomware as follows:
“Ransomware is a form of malware designed to encrypt files on a device, rendering them and the systems that rely on them unusable. Malicious actors then demand ransom in exchange for decryption.
Over time, malicious actors have adjusted their ransomware tactics to be more destructive and impactful and have also exfiltrated victim data and pressured victims to pay by threatening to release the stolen data.
The application of both tactics is known as ‘double extortion.’ In some cases, malicious actors may exfiltrate data and threaten to release it as their sole form of extortion without employing ransomware.”
It goes on to state:
“These ransomware and associated data breach incidents can severely impact business processes by leaving organizations unable to access necessary data to operate and deliver mission critical services.
The economic and reputational impacts of ransomware and data extortion have proven challenging and costly for organizations of all sizes throughout the initial disruption and, at times, extended recovery.”
This explanation captures the challenges businesses face in remaining vigilant against ransomware threats. According to the 2023 Sophos State of Ransomware Report, 66% of respondents reported their organization was affected by ransomware. For comparison, in 2020 that number was 51%.
Meanwhile, Palo Alto Networks reports that half of all ransomware incidents posted on leak sites in 2023 involved U.S. organizations, trailed by Europe, the Middle East, and Africa. The manufacturing industry was the most impacted by extortion attacks, followed by the professional and legal services industry. Interestingly, Palo Alto Networks found that harassment of individuals within an organization was a factor in 20% of ransomware cases, up from 1% in the previous year this was measured.
The Sophos report found that “payments themselves have increased considerably over the last year, with the average (mean) ransom payment almost doubling from $812,380 in 2022 to $1,542,333 in 2023. The median ransom payment reported in this year's study was $400,000.” It also noted that “organizations reported an estimated mean cost to recover from ransomware attacks of $1.82 million, an increase from the 2022 figure of $1.4 million.”
The Palo Alto Networks Report also probed the financial impact of ransomware, noting ransomware payment demands ranged from $3,000 to $50 million. In actuality, payments were “as low as $3000 and as high as $7 million.” The median payment tracked by Palo Alto Networks hewed closely to the Sophos number: $350,000.
Write the authors of the Palo Alto Networks Report, “threat actors want you to feel pressured. The more you feel this way, the more likely you will pay what they demand. When cybercriminals use tactics such as harassment and urgency in addition to encryption, they’re trying to make you feel out of control and under pressure so you’ll do what they want.”
These figures are jarring. Fortunately, organizations can shore up security safeguards and minimize ransomware attack risks through password management best practices and passwordless authentication adoption.
While ransomware can be delivered through a number of avenues, the Federal Trade Commission (FTC) notes that “phishing emails make up most ransomware attacks.” As discussed in this Bitwarden blog, phishing attacks are social engineering tactics that attempt to trick people into divulging confidential information like login credentials, bank account or social security numbers, or redirect victims to websites housing malware downloads.
Recognizing the role of phishing in facilitating ransomware attacks, pages 9 and 10 of the #StopRansomware Guide offers recommendations for protecting credentials. The guide suggests organizations:
Implement phishing-resistant multi-factor authentication (MFA/2FA) for all services.
Consider passwordless MFA that replace passwords with two or more verification factors (e.g., a fingerprint, facial recognition, device pin, or a cryptographic key).
Implement password policies that require unique passwords of at least 15 characters and utilize a password manager.
Store passwords in a secured database and use strong hashing algorithms.
Educate all employees on proper password security in your annual security training to include emphasizing not reusing passwords and not saving passwords in local files.
Password managers are an effective deterrent against credential theft because they easily enable users to generate strong and unique passwords for each site they visit. This reduces the risk of password reuse and stops people from defaulting to weaker passwords simply because they’re easy to remember. While password managers alone won’t stop all ransomware attacks - a user or users may still fall prey to a phishing attack and divulge their credentials - the scope of the attack will likely be limited because the same password hasn’t been used for multiple accounts.
Password managers such as Bitwarden further protect credentials by enabling two-factor authentication (also known as 2FA), which requires authentication from a second device upon login. This is often accomplished through a security key, authenticator app, or via email.
The #StopRansomware Guide cites passwordless multi-factor authentication (MFA) can further strengthen verification through biometrics (e.g., a fingerprint, facial recognition), a device pin, or a cryptographic key. Recent data found that nearly three in 10 ransomware attacks started with threat actors using a stolen password. Passwordless solutions like passkeys empower individuals and businesses with a more effective deterrent against ransomware attacks by removing weak or reused credentials from the attack surface altogether. Passkeys prevent the reuse of passwords across services or platforms because they are created uniquely to each user and service. Thanks to encrypted authentication protocols like WebAuthn, passkeys offer protection against phishing attacks, one of the most common initiation points for breaches and ransomware attacks.
Hopefully, the federal government continues to recognize the growing momentum toward passwordless technology. In the 2023 Bitwarden Password Decisions Survey, 49% of the IT decision maker respondents said they were deploying or had plans to deploy passwordless technology. Of those utilizing passwordless authentication, 51% are relying on the ‘something you are’ (biometrics, facial recognition, voiceprint) form of passwordless authentication.
Ransomware attacks are complex and successful mitigation against them requires a multi-layered approach. Password management and passwordless authentication measures create the foundation for a strong security culture, foster good password hygiene, and give employees and organizations the tools they need to strengthen credential security. In a world in which a majority of businesses are affected by ransomware, that means something.
Ready to try out password sharing with Bitwarden? Quickly get started with a free Bitwarden account, or start a 7-day free trial of our business plans to keep your team safe online. Still have questions? Check out the free weekly demo.