For decades, Hollywood has painted a specific picture of cybercrime. We imagine a hooded figure in a dark room, typing furiously against a green screen of cascading code, smashing through firewalls with sophisticated algorithms. It makes for great cinema, but it is rarely how a modern ransomware breach occurs.
The reality of cyber warfare is far more mundane and, consequently, far more dangerous. Attackers have realized that breaking in is hard work. It requires finding zero-day vulnerabilities, writing complex exploit code, and evading sophisticated detection systems.
So, they stopped trying to break in. Instead, they simply log in.
The majority of modern ransomware incidents do not begin with a virus or a piece of malware attached to an email. They begin with a valid username and password. Understanding this shift from "hacking" to "logging in" is critical for any organization trying to secure its data in an increasingly hostile digital landscape.
The path of least resistance
Cybercriminals operate like businesses. They look for the highest return on investment with the lowest possible effort. Developing a new exploit for a patched Windows server takes time and skill. Buying a valid set of credentials on the dark web for $10 does not.
When an attacker uses stolen credentials, they bypass the traditional perimeter defenses that organizations spend millions of dollars on. Firewalls, intrusion detection systems, and antivirus software are designed to spot malicious code or unauthorized connection attempts. They are not designed to stop a legitimate user from logging in to the VPN or cloud portal.
By masquerading as an employee, the attacker gains immediate trust. They are inside the network, often with the same privileges as the victim they are impersonating. This allows them to move laterally across the network, escalating privileges and exfiltrating sensitive data—steps that often precede a ransomware breach—all while appearing to be a regular user doing regular work.
How credentials are compromised
If attackers aren't hacking the perimeter, how are they getting the keys to the castle? The methods are varied, but they almost always target the human element rather than the technological one.
The dominance of the phishing attack
The most common entry point remains the phishing attack. Despite years of security awareness training, phishing remains effective because it exploits human psychology—urgency, fear, or curiosity.
In a credential harvesting phishing campaign, a user might receive an email that looks exactly like a notification from Microsoft 365, Google Workspace, or a corporate HR portal. The email might claim that a password has expired or a document needs signing. When the user clicks the link, they are taken to a spoofed login page.
Once they enter their details, the attacker captures them in real-time. There is no malware involved on the user's device. The user handed over the keys voluntarily, tricked by a digital mirage.
Initial Access Brokers (IABs)
A booming underground economy has emerged to support ransomware gangs. These groups are known as Initial Access Brokers (IABs). IABs specialize in breaching networks—often using brute-force attacks or credential stuffing (trying username/password combinations from other breaches)—and then selling that access to ransomware affiliates.
This specialization means the ransomware gang doesn't even need to know how to steal the password. They just need to pay the broker. This lowers the barrier to entry for cybercriminals, fueling the rise in ransomware volume.
Infostealers
While the initial entry might be credentials, malware does play a supporting role. "Infostealers" are a type of lightweight malware often hidden in pirated software or harmless-looking downloads. Once installed on a device, they scrape saved passwords from web browsers and session cookies.
These logs are then bundled and sold. If an employee uses their personal laptop to access corporate resources and that laptop is infected with an infostealer, the corporate credentials are as good as gone.
The silent phase: Living off the land
Once the attacker uses the stolen credentials to gain entry, the ransomware is not deployed immediately. This is a crucial distinction. In a malware-first attack, the virus often executes quickly. In a credential-based attack, there is a "dwell time."
During this period, attackers "live off the land." They use legitimate administrative tools that already exist in the environment—like PowerShell, RDP (Remote Desktop Protocol), or WMI (Windows Management Instrumentation)—to conduct reconnaissance.
They map out the network, identify where the backups are stored, and hunt for the Domain Controller to gain full administrative rights. Because they are using legitimate tools and valid credentials, this activity blends in with normal system administration. Security teams looking for "malware signatures" will see nothing amiss.
The actual ransomware deployment is merely the final act of a long play. By the time the files are encrypted and the ransom note appears, the attackers have likely been inside the network for weeks, if not months.
Moving beyond malware defense
Organizations need to fundamentally shift their defensive strategy. While antivirus and endpoint detection are still necessary, they are no longer sufficient. Security must pivot to identity.
Phishing-resistant Multi-Factor Authentication (MFA)
The single most effective control against credential theft is Multi-Factor Authentication (MFA). However, not all MFA is created equal. Attackers have learned to bypass SMS-based codes through SIM swapping or "MFA fatigue" attacks (bombarding a user with push notifications until they approve one out of frustration).
Organizations should move toward phishing-resistant MFA, such as FIDO2 security keys or hardware tokens. These methods bind the login attempt to the specific website, meaning even if a user is tricked by a fake phishing page, the authentication will fail.
Monitoring for abnormal behavior
Since attackers look like legitimate users, defense relies on spotting abnormal behavior. An employee who works 9-to-5 in New York should not be logging in from an IP address in Russia at 3 AM.
User and Entity Behavior Analytics (UEBA) tools can help establish a baseline of normal activity for every user. When a set of credentials starts accessing servers they've never touched before, or downloading massive amounts of data, the system can flag the anomaly even if the password is correct.
The principle of least privilege
The damage a stolen credential can do is directly tied to the access that credential holds. If every employee has local admin rights, a single breach is catastrophic.
Adopting the principle of least privilege ensures that users only have access to the specific data and systems they need to do their jobs. If a marketing intern's account is compromised via a phishing attack, the attacker shouldn't be able to reach the core financial databases. Limiting lateral movement is key to turning a potential disaster into a manageable incident.
Secure the identity to stop the breach
The era of the "hacker" breaking through the firewall is largely behind us. The modern adversary is a fraudster holding a stolen key.
Focusing solely on malware prevention leaves the front door wide open. To stop the next ransomware breach, organizations must prioritize identity security. This means acknowledging that passwords are the weakest link and building a defense that assumes credentials will eventually be compromised. By layering robust authentication, behavioral monitoring, and strict access controls, businesses can ensure that even if an attacker steals a password, they can't steal the kingdom.
Sign in to leave a comment.