Joshua Peebels | January 22nd, 2022

MSP Ransomware

As the SOC Manager overseeing the ShadowSpear department, Joshua Peebels leads multiple teams of diverse and skilled engineers and analysts as they work 24/7 to secure, monitor, and advise partners on security best-practices. Utilizing a developed think-on-his-feet skillset from professional Improvisation Acting, along with a strong communication background as an American Sign Language Interpreter, Joshua provides a unique leadership style that focuses on partner-first relationships and a desire to consistently enhance and grow his team. Outside the office, Joshua champions apprenticeship programs to promote industry growth and to give back to his personal entry into the Cyber Counterintelligence landscape.

 The Kaseya Incident

On Friday, 2 July 2021, as most Americans (including IT teams) were preparing to celebrate Independence Day weekend, threat actors targeted Kaseya’s VSA remote monitoring and management product with ransomware. The impact was felt globally by dozens of Managed Service Providers (MSPs) and thousands of their client organizations. While the world was in panic, engineers at SpearTip were actively focused on identifying, neutralizing, and countering the imminent and potentially devastating threat.

Our team was preventing these Kaseya-related threats before the public was aware of their existence. We identified the malicious activity running rampant on our partners’ networks, stopped and contained the malware, and immediately began notifying all our partners using Kaseya’s VSA product with containment and remediation steps. Within an hour of detecting the ransomware, our engineers unpacked the code; it was instantly apparent this was not your standard ransomware. After analyzing the exploit, it became obvious this variant and deployment took months to plan, create, and implement. Our primary goal was then as it remains today: to prevent damage to our partners, a goal we accomplished while other entities were not so fortunate.

The Kaseya incident, and SpearTip’s response to the innovative and destructive ransomware attack, is emblematic of the ever-evolving landscape that finds MSPs as the latest ransomware target.

Ransomware and MSPs

One major shift that permeated the ransomware threat landscape in 2021 was the targeting of MSPs. In the simplest terms, an MSP is a third-party IT and security contractor that delivers specified services for a set fee. As part of their service agreement, MSPs generally have complete access to sensitive data belonging to multiple businesses, making them a valuable target.

A typical MSP offers various security and IT solutions to its many partners through an outsourcing model. According to Datto’s “2021 State of the MSP Report”, the average MSP maintains a partnership with 122 organizations, mostly small and medium businesses (SMBs) across 5-6 industries. Each of these SMBs has unique security needs and limited resources available to address those needs, which is what attracts them to an MSP partnership. With regards to the state of ransomware, this means that if a threat actor can successfully breach an MSP, they will have access to sensitive information of those 122 other organizations. Not only does a breach of an MSP harm the reputation and functionality of the security provider, it also offers threat actors the leverage of over 100 organizations in a ransom negotiation. Multiply this across the entire MSP industry and the result is desolation and mayhem.

Industry research indicates that about half of MSPs hire an internal security team to comprehensively address their diverse client needs. An even smaller percentage partner with a Managed Detection and Response (MDR) operation, indicating a large-scale gap in security operations. This is welcome news to ransomware operators, which should terrify MSPs and their increasingly vulnerable clients, particularly as business operations shift to the cloud. With this transition, more advanced and proactive security measures are required to stay ahead of the evolving threats. From the perspective of threat actors, targeting MSPs is a successful strategy as a single breach disrupts critical business operations across a multitude of sectors and stokes fear in hundreds of businesses large and small.

Creating a Solution

While the threat landscape grows in sophistication, some aspects remain constant: cyber criminals actively target operations lacking the resources to effectively fortify their business-critical data against ransomware. As MSPs continue to flourish in the IT and security marketplace, their role in protecting SMBs becomes more crucial. A further demonstration of the importance of continuous threat monitoring is the growing push from insurers to include it within standard industry policies.

Proper protection, particularly for MSPs and their diverse clientele, is not just a security concern – it is a business concern requiring a multi-layered approach: it must predict attacks before they happen with proactive measures, including implementing multi-factor authentication (MFA) and credentialed access; it must prevent unknown threats, much like SpearTip did with REvil’s attack against Kaseya, utilizing experienced human response with sophisticated endpoint detection, such as with ShadowSpear and its cloud-native ability to protect networks wherever they reside; it must detect malicious activity before a threat becomes an attack, which ShadowSpear provides with its flexible platform and single console that integrates seamlessly into existing IT infrastructure for total endpoint visibility across the entire customer base; it must provide for rapid response and remediation, which is a focal point of our 24/7 Security Operations Centers (SOCs) and IR team with our industry-leading response and remediation speed (15 minute response time, 6 hours to reclaim network, and 36 hours to fully restore operations); it must leave room for growth and profit, both for the MSPs and clients—ShadowSpear boasts a 254% ROI and <6 month payback.

The worst day for an MSP is dealing with the repercussions of ransomware. SpearTip defends MSPs and their clients from the devastating impact of ransomware with our complete cybersecurity solution that maximizes human ingenuity with advanced AI capabilities.