How IAM Resilience Can Mitigate Ransomware Attacks
A new ransomware attack, 0mega, is a startling reminder of the importance of IAM resilience. Since 2019, ransomware attacks have increased by 13%. By 2031, it is estimated that there will be a ransomware attack every 2 seconds. With the average attack costing companies $1.85 million, preparing for and mitigating against an attack is as important now as ever.
Recent 0mega Attack
While ransomware attacks are nothing new, they are ever-evolving. One recent attack by ransomware 0mega jeopardized a company’s entire Sharepoint system (Microsoft 365). The attack began with a compromised Microsoft Global Admin service account. This account did not have multi-factor authentication (MFA) or two-factor authentication (2FA) enabled, which further exacerbated the attack.
Utilizing the compromised account, 0mega created a new AD user account named 0mega. The compromised account gave the new 0mega account elevated permissions such as Global Administrator, Sharepoint Administrator, Exchange Administrator, Teams Administrator and Site Collection Administrator to multiple Sharepoint sites. With these permissions, the new 0mega account was then used to remove existing administrators. In two hours, 0mega deleted over two hundred admin accounts.
After removing the admin accounts, 0mega utilized a publicly available Node.js module, sppull, to download hundreds of files from the company’s Sharepoint. But 0mega did not stop there. They then proceeded to upload hundreds of text files entitled “PREVENT-LEAKAGE.txt.” Like the download process, 0mega automated the file upload with a publicly available Node.js module known as ‘got.’
0mega finalized their ransomware attack by providing the company with a link to a chat website. On this site, the company could interact with ransomware operatives and negotiate payment to keep their data from being shared.
Ransomware and IAM
The recent 0mega attack illustrates the importance of IAM resilience to mitigate and avoid ransomware attacks. When considering IAM resilience, there are two major components: identifying incidents and recovering from an attack.
One way to identify incidents is to compare the current system to a historical backup. This comparison can highlight unauthorized changes that may have occurred since the backup. Another option for identifying incidents is to ensure user accounts have only the permissions required for business operations. Additionally, alerts can be utilized to identify potentially suspicious behavior, such as the creation of a new account or an account login from an atypical country. Alerts can also be put in place to check if a new account has been granted more permissions than the account requires. Finally, MFA or 2FA should be utilized to increase the security of accounts and reduce the risk of a compromised account.
To prepare specifically for an 0mega attack, it is recommended to create alerts for a new AD user with “0mega” in the user name or details. Alerts should also be set up if text files titled “PREVENT-LEAKAGE.txt” are uploaded. Lastly, if any Microsoft 365 activities occur using ‘sppull’ or ‘got’ an alert can be triggered to indicate the potential breach.
When it comes to recovering from an attack, it’s essential to protect your data, investigate the incident, and quickly return to normal business operations. Point in Time (PiT) backups are one effective way to ensure the security of your data. By backing up your data at regular intervals, PiT backups ensure the entirety of your data is captured. These backups can then be compared to the current version of the system, aiding in incident investigation. Of course, it’s essential to consider the security of your backups. Backups are of no use when they are compromised. Air gapped storage offers a secure storage solution for backups. They ensure the backup is not accessible from other applications or users in the environment, keeping your data safe.
When an incident does occur, you will want to seamlessly return to normal business operations. PiT backups offer several ways to achieve this goal. If an incident is identified quickly enough, the backup can be used to restore the compromised account. If the 0mega attack was identified as soon as the user account was jeopardized, the affected account could be restored from a backup, reducing the impact of the attack. If an incident is not identified as quickly, backups still provide an effective solution for returning the full system to a stable state.
The Importance of IAM Resilience
Ransomware attacks are becoming increasingly more common. With the hefty price tag these attacks carry, avoiding and mitigating attacks is essential for any business. But the price of a ransomware attack isn’t limited to the cost of securing your data. A study by Object First found that 75% of customers would consider switching to a competitor if a company was attacked by ransomware. To minimize the chance of ransomware attack and keep your customer’s confidence, it’s important to ensure your IAM system is resilient.
A resilient IAM solution should protect your data, offer incident investigation, and include disaster recovery activities. PiT backups and air gapped storage are effective ways of protecting data by ensuring it is captured and securely stored. Comparing the current system to historical backups aids incident investigation by identifying unauthorized changes and compromised accounts. Restoring a system to a backup version is an effective way to quickly return business operations to normal after an attack. Depending on the specifics of the attack, it can be helpful to restore the full system or only compromised accounts. With ransomware attacks on the rise, it’s crucial to consider the resiliency of your IAM system as it can make all the difference when disaster strikes.