These ransomware hackers gave up when they hit multi-factor authentication

More evidence that multi-factor authentication works. Police explain how they have seen ransomware gangs abandon attacks when they hit MFA security.
Written by Danny Palmer, Senior Writer
Image: Getty

A ransomware attack was prevented just because the intended victim was using multi-factor authentication (MFA) and the attackers decided it wasn't worth the effort to attempt to bypass it. 

It's often said that using MFA, also known as two-factor authentication (2FA), is one of the best things you can do to help protect your accounts and computer networks from cyberattacks because it creates an effective barrier – and now Europol has seen this in action while investigating ransomware gangs.  

"We've done investigations where ransomware criminals were monitored. In certain investigations, we saw them trying to access companies – but as soon as they would hit two-factor authentication in this process, they would immediately drop this victim and go to the next," said Marijn Schuurbiers, head of operations at Europol's European Cybercrime Centre (EC3), speaking about an undisclosed incident the agency investigated.  

SEE: Ransomware: Why it's still a big threat, and where the gangs are going next

It demonstrates how useful MFA can be in preventing ransomware and other cyberattacks. Even if the attacker has the legitimate password for the account – either because it's been guessed or it's been stolen – using MFA usually prevents them from being able to log in.  

An unexpected alert from an MFA authenticator app can also notify the intended victim that something is wrong and should be investigated, which can also help to prevent further attacks and incidents. 

Not only can cyber criminals exploit hacked accounts to gain initial access to the network and install ransomware, the access they gain can also be used as part of double-extortion attacks, where criminals steal information before encrypting it, with threats to publish the data if a ransom isn't received. 

However, if attackers can't access that data due to the use of MFA, they can't attempt to exploit it for extortion. 

"This is really crucial information that companies can use for their counter strategies. Know that if you implement two-factor authentication for your systems in general – or maybe specifically, your crown jewels – you will significantly reduce your chances of falling victim to a ransomware group, which uses double extortion," said Schuurbiers, who was speaking at the sixth anniversary of No More Ransom

No More Ransom is an initiative by Europol, additional law enforcement agencies, cybersecurity companies, academia and others that provides victims of ransomware attacks with decryption keys for free. So far, the scheme has helped 1.5 million people get their files back without paying ransomware gangs.

Implementing 2FA is one of several recommendations Europol recommends to help prevent ransomware attacks. Others include regularly backing up data on devices, so it can be recovered without paying a ransom in the event of an attack encrypting files, as well as ensuring that security software and operating systems are up to date with the latest security patches.


Editorial standards