Ransomware is costing businesses—in ransom, yes, but also in downtime, the cost of which is typically 23 times greater than the ransom requested. The attacks are affecting large organizations and cities including Atlanta and Baltimore. Cybercriminals aren’t just attacking end-users; MSPs are the latest on the hit list.
Recently, a number of MSPs reported being the victims of targeted ransomware attacks. Attackers exploited vulnerabilities in systems commonly used by MSPs with the goal of installing ransomware on many networks and devices. As cybercriminals begin targeting MSPs, you may wonder how they’re doing it and what you can do to stop them. First, let’s understand why MSPs are a target.
Why are They Targeting MSPs?
When it comes to ransomware, the goal is often to get more ransomware on more devices, which increases the likelihood that their victims pay up. Who has access to lots of networks and devices? That’s right: MSPs do.
And in many cases, MSPs aren’t the target so much as the gateway to many targets. If crooks can gain access to an MSP’s systems, they can remotely install ransomware on lots of networks and devices. Since ransomware can be impossible to get rid of once it’s installed (barring a few options), many companies feel they have no choice but to pay. According to Coveware, cybercriminals can bring in an average of $12,762 from an organization that pays. Imagine what they can get from dozens.
How are They Doing It?
Cybercriminals have begun attacking products and services commonly used by MSPs. Many of the reported attacks have come by way of remote monitoring and management (RMM) tools or cybersecurity consoles. Attackers typically gain access either through brute force or through software vulnerabilities on unpatched servers. From there, attackers will try to gather as many privileged credentials as they can.
Next, they’ll use those to access RMM tools so they can remotely install ransomware, such as the notorious Sodinokibi ransomware virus. After that it’s just a matter of sitting back to see who coughs up the ransom.
What can You Do?
There’s no one thing that can prevent cyberattacks, particularly when they become more sophisticated all the time. MSPs will need to employ a variety of tactics to prevent infections.
- Use Multi-Factor Authentication (MFA) – Many applications support multi-factor authentication. Using it can prevent cybercriminals from gaining privileged access to your or your clients’ networks. Start by requiring it for the most critical applications that support it. You may also consider using an MFA tool like OneLogin, Duo, or Okta to ensure that any application your clients use require this extra-but-essential layer of security.
- Keep Everything Up to Date – Many attacks exploit software vulnerabilities. The best way to prevent these attacks is to keep everything patched and updated. From your RMM tools to remote servers to client desktops and mobile devices, the more up-to-date, the better. Take special care when it comes to updating RMM or other remote access tools as they’ve been a recent focus for cybercriminals.
- Take Regular Backups – Certainly, backups might be your only hope for recovering data if ransomware is installed on a system. A solid, image-based backup is an easy way to get systems back to normal, but there are a couple factors that can trip you up. You must make sure you’ve set the proper retention policy for backups. If you don’t have a backup image from before the ransomware was installed, you’re out of luck. Be sure you’re keeping multiple backups from multiple points in time for each system under your care. Second, consider where you’re storing backups. What if ransomware locks down the network drive storing the backups? Think carefully about where you store backups, consider offsite options, and be sure you have copies of backups in a secure location.
MSPs are a bigger target than most. The credentials you use to access your RMM and PSA tools can be the gateway through which an attacker can access dozens of client networks and hundreds of devices. MSPs should pay close attention to how they manage credentials, who gets permissions and how frequently they update their solutions. Last but not least, a clean backup image is often the only way to reliably recover from ransomware. Create careful backup strategies so you can mitigate the risks posed by more complex cyberattacks.