One for the Money, Two for the Show, $4.4M for the Ransomware Gang That Used ATO

Ransomware has reached crisis levels across business sectors and across the globe. No industry or company is off-limits anymore. As the dust begins to settle from the recent flurry of news-making attacks, two things are becoming clear:

1. Ransomware is now a mortal threat as it seeks to hobble the operations of key public needs including energy, hospitals, transportation, and food.
2. Stolen credentials are fueling the surge in these attacks.

According to Bloomberg, the attack last month on Colonial Pipeline – the largest fuel pipeline in the U.S. – was “the result of a single compromised password.” On April 29, attackers gained access into the company’s networks through an employee’s virtual private network account. The employee’s password was discovered in a batch of leaked passwords available on the dark web, which means that the employee “may have used the same password on another account that was previously hacked.” Though exact details are still being sorted out, it is very likely that employee password reuse ended up costing Colonial $4.4M in ransom payment alone (note that part of their payment was later recovered by the Justice Department).

As ransomware has surged in recent years – with recovery costs averaging $1.85 million in 2021, more than 10 times the size of the average ransom payment – so has the prevalence of stolen credentials as a tactic in perpetrating these attacks.

Analysis of one ransomware attack earlier this year found that the bad actors had stolen the credentials of a domain admin (an employee who had passed away months prior). That account was a ‘ghost account,’ something the IT team had forgotten to delete but still granted access to company data. And don’t forget that the SolarWinds hack from December 2020 that continues to impact thousands of U.S. federal agencies and contractors is believed to have resulted from a password spraying attempt. Evidence suggests bad actors gained access to a SolarWinds update server admin account by leveraging the password “solarwinds123.”

The fact that such massively disruptive, costly and life-threatening attacks are being caused by poor password habits is frustrating, to say the least. Last year, SpyCloud recovered nearly 1.5 billion stolen credentials from the breaches and botnet lots, adding to our database, which contains nearly 25 billion passwords alone. However, stolen credentials are only part of the problem; in 2019 and 2020, SpyCloud observed a 60% password reuse rate for users with more than one password exposed in the last year. These are the credentials being used to gain access to critical systems, where these attacks are perpetrated.

However insurmountable ransomware may seem, it’s important to remember that it only works when it has access to your systems. The easiest way to gain unauthorized access is to guess or steal login credentials. Because of this, ransomware is often a follow-on attack stemming from account takeover (ATO), a much more ubiquitous problem.

With data breaches up last year, even more stolen credentials have become available to criminals. And since so many ransomware attacks rely on stolen credentials, preventing it is nearly impossible unless you are actively addressing ATO through the continuous monitoring and remediation of exposed credentials. By the time businesses are aware that an employee’s credentials have been used to plant ransomware on their network, it’s too late.

Historically, most organizations have viewed cyber attacks as something that only happens to other organizations. That era is officially over and the fact that ransomware has proven profitable means it is likely to remain a significant threat for quite some time. Businesses of all size and sector will continue being disrupted and the remediation process will be costly and time-consuming. In comparison, it takes relatively little effort to force a password reset when you know an employee is compromised.

Stop exposures from becoming account breaches.