Ransomware Attacks – Why IAM is a key defence

The rapid growth of ransomware attacks is showing little sign of abating, with 37% of organisations hit by a ransomware attack in 2021, according to Sophos. The average ransom paid increased to over £125,000, but factoring in the full cost of data recovery and downtime, the average attack cost over £1.35 million to rectify.

While sectors such as retail and local government are targeted most frequently, any organisation which manages essential services or sensitive customer data can be a potentially lucrative target for ransomware attackers. Instead of facing the choice of paying a ransom, with no guarantee of regaining access to systems and data, or suffering downtime, organisations need to act to secure their data against the growing threat.

How are ransomware attacks carried out?

Any data breach can expose organisations to the threat of a ransomware attack, but typically after gaining unauthorised access, malware will be deployed which can either harvest corporate data or prevent the business from accessing its own systems and data until a ransom has been paid, typically in digital currencies such as Bitcoin.

While software exists to specifically counter the malware frequently deployed in ransomware attacks, focusing on anti-malware alone is failing to protect organisations - privileged user access must also be made secure. As well as being required to actually deploy malware, unauthorised access alone can often be enough to shut down an organisation’s systems if the account has a high level of privilege. In the case of extortionware attacks, where the attacker threatens to publicly release sensitive data, even accounts with low user privileges may be sufficient to carry out a successful attack.

In the case of the 2021 high profile attack on Brenntag, a chemical distribution company, the attackers claimed to have gained access by purchasing credentials from the dark web. Brenntag ultimately paid £3.8 million to regain access to their systems, one of the largest ransoms paid to date.

The growth of remote working has also enabled ransomware attackers to exploit vulnerabilities in remote access systems, particularly Remote Desktop Protocol (RDP) ports, which is the most common attack vector used by threat actors to gain access to networks, according to the UK government’s National Cyber Security Centre. If user credentials become compromised, attackers can leverage the open ports to gain access to devices and all applications in use, potentially even compromising resources which were previously protected within the organisation’s network perimeter.

Protecting against ransomware attacks

Remove credentials as an attack vector

Preventing unauthorised access is the most important factor in stopping ransomware attacks, and passwords are a key attack vector for cybercriminals. Credentials are frequently obtained in phishing attacks, or able to be purchased from the dark web if they have been compromised in prior data breaches and reused across multiple accounts. With more than 3.4 billion phishing emails sent every day, and users frequently reusing passwords due to the impracticality of memorising unique passwords for the large number of applications used by enterprises, there is a high likelihood of at least one employee presenting a potential avenue of entry for attackers.

Ultimately, humans are the weak link when it comes to passwords. An Identity and Access Management (IAM) solution which can provide Single Sign-On (SSO) can replace passwords with secure tokens, or automatically generate and fill strong passwords which remain undisclosed to end users. This prevents credentials compromised in historic attacks from being used to gain unauthorised access to applications, and prevents credential phishing, since users cannot be phished of passwords they do not know.

Effective Implementation of Multi-Factor Authentication (MFA)

MFA is an effective technology measure to add additional security to the most sensitive data likely to be targeted in a ransomware attack. By requiring an additional factor of authentication, attackers cannot gain unauthorised access simply by obtaining valid credentials. In the negotiations following the attack on Brenntag, the attackers even advised the company to deploy MFA to prevent such a security breach from occurring in the future.

A significant challenge in effective MFA implementation is the lack of visibility of all applications in use within an organisation – the prevalence of Shadow IT is over ten times larger than known cloud usage, according to McAfee. MFA cannot be mandated or enforced on applications that the IT security team are unaware of, creating vulnerabilities which can be exploited by attackers. Implementing an IAM solution that can automatically detect and inform of Shadow IT provides IT security teams with the visibility necessary to enforce MFA where it is most needed. This enables organisations to remove these vulnerabilities and maximise the effectiveness of their investment in MFA.

Employ a Zero Trust model

Zero trust security models focus on mitigating the impact of data breaches by limiting the potential damage an attack can cause. This is achieved by preventing users from having automatic access to all corporate data in the event of the security perimeter being breached. With zero trust, even if an account is compromised, it is far less likely to have access to sufficient systems or data to be valuable enough to carry out a successful attack.

Zero trust security models strictly control privileged access to ensure that each employee only has access to the resources they require to do their job, and no more. IAM solutions are crucial in helping to create the ‘never trust, always verify’ framework for zero trust, and account lifecycle management ensures that users are automatically offboarded from applications when they leave the organisation or change roles, and that only the right people have access to the right resources at the right time.


Preventing the initial unauthorised access to corporate systems that attackers depend upon is key to protecting against ransomware attacks, and it is here that an IAM solution is critical at fulfilling that role. Relying solely on anti-malware technology fails to adequately protect organisations, as not only can newer forms of malware go undetected, anti-malware in and of itself can fail to protect against certain types of attacks. Cybersecurity training is also popularly used to educate employees on the risks of phishing and poor password practices, but research from My1Login has shown that this ultimately has little effect on user behaviour – even among users who had received cybersecurity training, 85% continued to reuse passwords, for example.

By leveraging the security benefits of an IAM solution, organisations can mitigate the weaknesses inherent to password-based authentication, ensuring corporate applications are protected by either passwordless authentication or strong, unique passwords, eliminating phishing and stolen credentials as potential attack vectors. IAM can lay the foundation of a zero-trust security model and enable MFA to achieve its full effectiveness by giving IT departments full visibility over apps in use, allowing them to require additional factors of authentication where necessary. IAM provides a key defence against ransomware attackers, preventing them from gaining access to systems before malicious activity can be carried out.

Read more on how Identity & Access Management protects against data breaches