MSP Cybersecurity: Best practices for mitigating targeted ransomware attacks

MSP cybersecurity Best practices for mitigating targeted ransomware attacks

MSPs, often tasked with providing customers with IT security services, have found themselves in the crosshairs as ransomware groups increasingly focus their attacks on the MSP market, where a single incident can enable threat actors to deploy ransomware to dozens of businesses.

For MSPs, this poses a significant security challenge – but it also presents an opportunity. Prioritizing internal security protocols allows service providers to better protect themselves and, by extension, their customers. It also enables security-conscious MSPs to differentiate from competitors who may be more vulnerable to compromise.

In this article, we’ll explore why ransomware groups are targeting MSPs and discuss best practices for mitigating ransomware attacks.

Why do attackers target MSPs?

MSPs are a logical target for ransomware groups. In 2018, the Department of Homeland Security issued an alert stating that threat actors had been targeting MSPs since May 2016.

Since that warning was issued, dozens of MSPs have fallen to ransomware, leading to tens of thousands of endpoints being encrypted and ransomware groups generating millions of dollars.

Sadly, the trend doesn’t seem to be stopping any time soon. But why exactly are MSPs such popular targets?

Easy access to targets

MSP infrastructure enables attackers to gain direct access to clients. By using the legitimate credentials of a compromised MSP, attackers can move freely between an MSP and its customers’ shared networks, where ransomware can be deployed with little effort.

As the Department of Homeland Security noted: “MSPs generally have direct and unfettered access to their customers’ networks, and may store customer data on their own internal infrastructure. By servicing a large number of customers, MSPs can achieve significant economies of scale. However, a compromise in one part of an MSP’s network can spread globally, affecting other customers and introducing risk.”

Leverage

Most ransomware attacks are financially motivated. While companies are typically discouraged from paying the ransom, MSPs are often more inclined to pay because failure to do so will result in significant downtime for their entire client base and may cause irreparable damage to the MSP’s reputation.

Given that the average North American MSP has 52 active customers, according to a report by SolarWinds and The 2112 Group, the collective financial impact of a ransomware attack on an MSP can be enormous.

Lack of resources

MSPs are often much smaller than the companies they serve – in fact, 65 percent of MSPs have less than 10 full-time employees, according to the above report.

Smaller MSPs are typically operating with limited resources, may lack dedicated security personnel and are often so busy that they simply don’t have the time to maintain strict cybersecurity practices.

Consequently, MSPs can be easier targets than larger corporations, while still giving attackers access to potentially hundreds or thousands of endpoints.

Biggest ransomware threats for MSPs

Ryuk

First discovered in August 2018, Ryuk was infamous for targeting large enterprises and making ransom demands that were, at the time, more than 10 times the average. Ryuk is typically dropped onto systems that have been compromised by Emotet and/or Trickbot, two trojans that are usually distributed via phishing emails. A number of MSPs have been affected by Ryuk, including Data Resolution, CorVel and CloudJumper.

Sodinokibi

Sodinokibi, sometimes referred to as REvil, was first spotted in April 2019. Threat actors typically use Sodinokibi to target MSPs by exploiting RDP vulnerabilities, stealing privileged credentials and leveraging commonly used remote monitoring and management (RMM) software to deploy ransomware to an MSP’s customers’ endpoints. Many MSPs have been affected by Sodinokibi, including Complete Technology Solutions, PerCSoft and Synoptek.

Best practices for mitigating ransomware

Adhering to proven cybersecurity fundamentals can go a long way toward securing both internal and client endpoints. The following recommendations should not be considered comprehensive but rather a collection of best practices for mitigating ransomware.

1. Secure remote access tools

One of the most effective things an MSP can do to mitigate ransomware is to ensure remote access tools are as secure as possible. This might involve:

2. Restrict network access

Ransomware attacks on MSPs frequently involve the use of stolen credentials. MSPs should operate on the assumption that their accounts will be compromised at some point and take steps to restrict network access accordingly.

3. Disable PowerShell if it’s not used

PowerShell is Microsoft’s built-in framework for task automation and configuration management. While it has many legitimate uses, PowerShell is often used by threat actors to deploy ransomware as it can execute macros, provide full access to many Windows system functions and execute payloads from memory.

MSPs should disable PowerShell if it is not critical to operations. MSPs that must use PowerShell should closely monitor all PowerShell activity so that suspicious behavior can be identified and stopped as quickly as possible.

4. Secure endpoints

While ransomware can be distributed in many different ways, most attacks still originate the old fashioned way – with a user getting duped by a malicious email. MSPs can protect their employees with the use of:

5. Select software carefully

MSPs rely on a wide range of tools to serve the diverse needs of their customers. Given that each of these tools is a possible point of entry for attackers, it’s important that MSPs evaluate the security practices of vendors before committing to a software solution.

6. Create offsite backups

An effective backup system is a critical part of any ransomware mitigation strategy. For MSPs, it’s important to remember that if an attacker has compromised their RMM software, they probably also have access to the MSP’s backups.

If an attacker has the opportunity to delete backups and gain additional leverage, they will do so. In addition, some ransomware strains are designed to encrypt backups stored both locally and in the cloud.

The simplest and most effective way of creating ransomware-proof backups is to adopt the 3-2-1 rule, which stipulates that an MSP should:

See this comprehensive guide for more information on how companies can protect backups from ransomware.

7. Implement BYOD policies

Cloud-based tools are ubiquitous in the MSP environment, but any device that is used to access corporate resources should be considered a potential security risk.

MSPs should not only ensure that all company-issued devices used for work purposes are properly secured but also implement policies for employees who use personal devices to work remotely.

Restricting network access, enforcing the use of a VPN, implementing device encryption and making MFA compulsory can help MSPs secure BYOD devices and reduce the risk of compromise.

8. Develop and test an incident response plan

Unfortunately, an MSP can do everything right and still experience a ransomware incident. When an incident occurs, it’s essential that MSPs have a plan in place that allows them to respond quickly and effectively.

See the Department of Homeland Security’s report for more information on developing a ransomware IR plan, and check out our blog post for considerations when deciding whether or not to pay a ransom.

Conclusion

For MSPs, security is inextricably intertwined with that of their customers. If an MSP is compromised, it is highly likely that its customers will follow, leading to hugely disruptive downtime and massive ransom demands.

Businesses put a lot of trust in MSPs – it’s important that MSPs honor this trust by doing everything they can to reduce the risk of a ransomware incident. MSPs that take a proactive approach to security can gain a competitive edge as cybersecurity becomes an increasingly important business consideration across industries.

Jareth

Jareth

Writer. A picture is worth a thousand words but unfortunately I can't draw. The world of IT security has always fascinated me and I love playing a small role in helping the good guys combat malware.

What to read next

Reader Comments