Ransomware profits reach "staggering" levels as businesses fail to implement MFA properly

Ransomware profits driven by poor MFA implementation: Purple screen with a white hand placing down asterisks denoting a security and password theme
(Image credit: Getty Images)

Research has highlighted the continued threat of ransomware and pointed to poor enforcement - or totally missing - multi-factor authentication (MFA) as a factor in many incidents.

The research from the team at Rapid7 looked at data from the first half of 2023 and noted that in 39% of the incidents overseen by its managed services team were down to MFA issues.

The caseload for researchers also increased by 69% year on year.

While remote access led the way in terms of initial access vectors for attackers with 39% of attacks, vulnerability exploitation accounted for 27% of attacks, and phishing payloads were responsible for 13%.

The report noted that the combination of cloud misconfiguration, SEO poisoning, and a “failure to eradicate threat actors during previous compromises” accounted for 11% of initial access vectors.

However, the fact that almost two-fifths (39%) of all incidents seen by the team were the result of MFA problems will give administrators pause for thought. 

While the limitations of MFA - particularly when combined with phishing and proxy attacks - are well known, the technology can go some way to adding an extra barrier between organizations and threat actors.

MFA fatigue is one of these known issues, a phenomenon in which users can become increasingly irritated by repeated requests for login approval, succumbing to the annoyance and inadvertently approving requests for attackers. 

This fatigue, coupled with poor implementation practices - such as being able to bypass MFA entirely - presents an attractive opportunity for attackers.

Researchers highlighted notification fatigue as a factor in an uptick in MFA push fraud and noted number matching, such as that mandated by Microsoft Authenticator, as a way of keeping fatigue at bay and dealing with social engineering attacks.

OneNote abused to spread malware

Although phishing attacks were responsible for fewer incidents, the team pointed to the abuse of Microsoft OneNote as a medium for malware and credential stealers. 


Whitepaper cover with black and white image of man's face wearing glasses and with beard on the right side

(Image credit: Mimecast)

The C-suite and board are taking notice of cyber risk's influence on the modern day work surface. Learn how to communicate cyber risk as business risk to your leadership team.


“This was the root cause of the majority of phishing incidents our team observed in 1H 2023,” said researchers.

Since Microsoft blocked VBA macros by default last year, attackers have turned to OneNote as a vector for launching attacks. Rapid7 noted the use of the platform to spread the Redline Infostealer and Qakbot malware earlier in 2023.

Blocking .one files at the perimeter or email gateway is one approach to deal with the threat, as is the education of users regarding attachments.

Ransomware is still the top threat, but business is booming on the dark web

The research noted that the ransomware landscape had remained relatively stable in terms of the groups operating in the space. 

Of the ransomware incidents noted, 35.3% were attributed to LockBit. However, researchers added that incidents over the first half of the year attributed to Cl0p -11.9% - were lower due to the group still actively claiming new victims from its 2023 zero-day attack on MOVEit.

Cl0p’s attacks are still categorized under the ‘ransomware’ umbrella, given the group’s roots in ransomware, but its high-profile attacks this year involving MOVEit and GoAnywhere MFT have both seen the group pivot to an encryption-less ransomware model.

Brokers are, however, profiting handsomely from zero-day exploits or access to compromised networks sold on the dark web. An example in the report found the going rate for a zero-day exploit in Cisco or Juniper hardware was $75,000 or more.

While the price might appear steep, ransomware as a service organizations - such as Cl0p - could potentially cover the costs many times over with just a single victim payment. 

“The potential profit margin for successful RaaS operations, in other words, is staggering,” said the researchers.

Richard Speed
Staff Writer

Richard Speed is an expert in databases, DevOps and IT regulations and governance. He was previously a Staff Writer for ITProCloudPro and ChannelPro, before going freelance. He first joined Future in 2023 having worked as a reporter for The Register. He has also attended numerous domestic and international events, including Microsoft's Build and Ignite conferences and both US and EU KubeCons.

Prior to joining The Register, he spent a number of years working in IT in the pharmaceutical and financial sectors.