Ransomware is costing businesses, not just in extortion payments, but especially in downtime. The cost of downtime, according to industry research, is usually 23 times greater than the requested ransom. Ransomware attacks are affecting the operations of large companies and major cities, and cybercriminals aren’t just attacking end-users, they’re targeting MSPs. Recently, numerous MSPs reported being victims of targeted ransomware attacks. Threat actors are exploiting vulnerabilities in systems used by MSPs with the intention of installing ransomware on their networks and devices. With threat actors targeting MSPs, companies wonder how these criminals are doing it and what can be done to prevent ransomware attacks.
The threat operators’ goal is to get more ransomware on more devices, thus increasing the likelihood that victims will pay the ransom. MSPs have access to numerous networks and devices and are often the gateway to many targets rather than the target itself. Threat operators can remotely install ransomware on numerous networks and devices if they can gain access to an MSP’s systems. Companies feel that they have no choice but to pay the ransom since ransomware can be challenging to remove once installed. Cybercriminals average $12,762 per ransom, which grows exponentially with additional victims.
Cybercriminals are attacking products and services used by MSPs, which typically come from remote monitoring and management (RMM) tools or cybersecurity consoles. Threat operators can gain access through either brute force or software vulnerabilities on unpatched servers and obtain multiple privileged credentials. The threat operators will use the credentials to access RMM tools to remotely install ransomware, including the notorious Sodinokibi ransomware virus.
As cyberattacks become more sophisticated all the time, there’s no one thing to prevent them. MSPs will need to utilize numerous tactics to prevent infections.
- Multi-Factor Authentication (MFA) – Multi-factor authentication is supported by numerous applications. It can be used to prevent cybercriminals from gaining privileged access to a company or their clients’ network. It’s important to first require MFA for most critical applications that support it. Additionally, companies should use MFA tools including OneLogin, Duo, or Okta to ensure that any application an MSP’s clients use requires this extra-but-essential layer of security.
- Update Everything – Many threat operators exploit software vulnerabilities; keeping everything updated and patched is the best way to prevent any cyberattack. Update everything including RMM tools, remote servers, client desktops, and mobile devices. Cybercriminals have focused on RMM or other remote access tools, so take special care in updating these software programs.
- Backup Data Regularly – Backups might be an organization’s only hope in recovering vital data if ransomware is installed on a system. Companies can restore systems using a solid, image-based backup, however, there are a few factors that can be challenging. It’s necessary for companies to have a proper backup retention policy in place. Companies are out of luck without a backup image from before the ransomware was installed. They should always have multiple backups from multiple points in time for each system the companies have under their care. Furthermore, it’s important for companies to think about where to store the backups. If ransomware encrypts the network drive containing the backups, companies should consider storing them at an off-site and secure location.
- Credentials Management – MSPs are a bigger target than most organizations, and the credentials companies use to access their RMM and PSA tools can act as a gateway through which threat operators access dozens of client networks and hundreds of devices. MSPs should be mindful of how they manage credentials, who receives permissions, and how frequently their solutions are updated. Ultimately, the most reliable way to recover from a ransomware attack is a clean backup image. Develop careful backup plans to mitigate the risks posed by more complex cyberattacks.
With MSPs becoming a more frequent ransomware target, it’s critical for companies and their clients to stay ahead of the current threat landscape and implement various security measures to prevent potential ransomware attacks. At SpearTip, we specialize in assisting MSPs in protecting themselves and their clients against costly ransomware attacks. Our ShadowSpear Platform provides scalability and protection for companies and their clients from a potential full-scale ransomware attack. ShadowSpear offers total visibility across your customer base and one place to gain insight into the security posture of all monitored environments. Backed by our global network of Security Operations Centers (SOCs) staffed by industry-leading engineers, ShadowSpear constantly monitors partner network environments and actively responds and remediates any attack 24/7/365.
If your company is experiencing a breach, call our Security Operations Centers at 833.997.7327 to speak directly with an engineer.