Managed service providers (MSPs), who are charged with providing IT security services to clients, have found themselves in the sights of ransomware groups. These threat actors increasingly target the MSP industry, where breaching a single client can allow threat actors to deploy ransomware to dozens of companies. Protecting against this can become a significant challenge for MSPs; however, it also can be an opportunity. MSPs can better defend themselves and their clients by prioritizing internal security protocols. Additionally, it allows security-conscious MSPs to distinguish themselves from competitors who can be more vulnerable to compromise. We’ll look deeper at why ransomware groups are targeting MSPs and examine effective ways for mitigating ransomware attacks.
Threat operators can obtain direct access to clients through an MSP’s infrastructure and then move easily between them and their clients’ shared networks by utilizing the legitimate credentials of compromised MSPs. From there, ransomware can be deployed with minimum effort. According to the Department of Homeland Security, MSPs often have direct and unrestricted access to their clients’ networks and can store clients’ data on their own internal infrastructure. MSPs can obtain significant economies of scale by servicing numerous clients. A compromise in one part of the network, therefore, can spread globally, impacting other clients and adding risk.
MSPs are frequently much smaller than the companies they serve and 65% of MSPs have fewer than 10 full-time employees. Smaller MSPs often have fewer resources, fewer dedicated security personnel, and are frequently lacking the time to maintain strict cybersecurity policies. MSPs can be easier targets than larger companies, while providing threat operators with access to thousands of endpoints.
Adhering to proven cybersecurity practices can help secure both internal environments and clients’ endpoints. The following ideas aren’t comprehensive, but rather a compilation of ways to mitigate ransomware.
Ensure Remote Access Tools are Secured
Making remote access tools as safe as possible is one of the most effective things MSPs can do to mitigate ransomware. This can include:
- Enforce MFA – Multifactor authentication (MFA) is a simple and effective approach to preventing threat operators from using compromised credentials to log into remote access tools. MFA needs to enable and enforce everywhere possible, with exceptions.
- Implement IP Restrictions – Use IP restrictions allowing only users connected to MSPs’ local networks to access remote administration tools.
- Update RMM Software – Vendors offer software updates on a regular basis to fix known vulnerabilities in their software. Even though patching can be inconvenient at times, it needs to always be a priority.
- Secure RDP – Remote Desktop Protocol (RDP) is a native remote administration tool for Windows that has been used in ransomware attacks.
Restrict Network Access
Ransomware attacks on MSPs usually entail the exploitation of stolen credentials. MSPs need to operate with the assumption that their accounts will be compromised at some point and take appropriate steps to restrict network access.
- Implement the Principle of Least Privilege – Employees need to only be given the resources they need to execute their tasks. Limiting access rights and performing regular audit permissions will verify privileges are in accordance with current requirements. Staff don’t need to have local administrator rights unless they’re specifically required to do their job.
- Strengthen Authentication Hygiene – Educate and train staff to develop strong passwords and avoid sharing or recycling login information. Use a password manager to simplify this process.
- Prevent Lateral Movement – When threat operators have access to networks’ assets, they will often aim to build a deeper foothold by spreading laterally across the network. Application whitelisting, MFA, network segmentation, and strong password management can help prevent lateral movement.
Disable PowerShell If Not Being Used
PowerShell is Microsoft’s built-in task automation and configuration management framework. Even though PowerShell has numerous legitimate purposes, threat actors frequently use it to deliver ransomware because it can execute macros, grant full access to numerous Windows system functions, and execute payloads from memory. If PowerShell is not important to operations, MSPs should disable it. MSPs that must use PowerShell need to closely monitor all PowerShell activities to identify and terminate suspicious behavior.
Secure All Endpoints
Even though ransomware can be spread in various ways, numerous attacks start the old-fashioned way with users being deceived by malicious emails. There are several ways MSPs can protect their employees:
- Email Security – Email authentication solutions, including DMARC, SPF, and DKIM are important for validating sender domains, detecting forgery, and preventing business email compromise attacks.
- Web Filtering – Browser Security software can prevent users from accessing harmful websites and prevents many phishing attacks.
- Endpoint Security – Having reliable antivirus software is critical in preventing ransomware and other malware used to deploy ransomware. The best defense comes by pairing an integrable cybersecurity tool with 24/7/365 active monitoring.
Maintain Offsite Backups
Any ransomware mitigation approach needs to include an effective backup system. It’s critical for MSPs to realize that if threat operators have compromised their RMM software, they will likely have access to MSPs’ backups. If threat operators can delete backups and gain an advantage, they will do so. Additionally, some ransomware strains are designed to encrypt local and cloud backups. The most straightforward and successful method of developing ransomware-proof backups is to follow the 3-2-1 rule, which states the MSPs need to:
- Have three copies of its files
- Keep the copies on at least two different storage media types
- Keep at least one backup copy offsite. The copy needs to be disconnected from the network, accessible to virtually no one, and stored offline.
Have BYOD Policies
Cloud-based tools are common in MSPs’ environments, however, any device used to access corporate resources needs to be considered a potential security risk. MSPs need to ensure that all company-issued devices used for work purposes are secured properly and develop policies for employees who work remotely using personal devices. Restricting network access, requiring VPN usage, installing device encryption, and mandating MFA can assist MSPs in securing BYOD devices and lowering the risk of compromise.
Create and Test Incident Response Plans
MSPs can do everything right and still experience ransomware attacks. When incidents occur, it’s critical for MSPs to have a plan in place to respond quickly and effectively.
- Communication – Establish roles and duties so that both employees and company leaders know what to do in case of ransomware attacks. Determine who needs to be contacted and in what order. Internal workers, clients, law enforcement, attorneys, public relations, and others may be included.
- Isolate – Create a plan for isolating or disabling affected devices. Removing infected machines from the network limits the ransomware spread.
- Incident Response Retainer – MSPs need to explore IR solutions and keep a contact number on hand in case their services are needed. During an incident, every minute is critical. Maintaining an IR retainer will ensure your business moves to the front of the line in an incident were to occur.
- Analysis – Define policies for preserving evidence that can assist in the investigation. Policies need to include instructions on how to gather as much information about the incident, including log files, system images, samples of encrypted files, and the ransom note, which all can be useful for analysis. Staff needs to be barred from deleting any encrypted files until instructed.
- Remediation – MSPs need to define how the malware will be removed and how backups will be used to restore systems. Additionally, MSPs need to invest their resources into fixing the exploited vulnerabilities to reduce the risk of future incidents.
MSPs’ security is directly linked to their clients. If MSPs are compromised, it’s likely that their clients will follow, resulting in severe downtime and ransom demands. Companies put enormous trust in MSPs and it’s important they fulfill this trust by doing everything possible to reduce the risk of ransomware incidents. A proactive security strategy allows MSPs to gain a competitive advantage as cybersecurity becomes a more critical company consideration across industries. Additionally, it’s important for MSPs and their clients to always remain alert of the current threat landscape and follow the mitigation process mentioned above to reduce the risk of potential ransomware attacks. At SpearTip, MSPs can upsell their security offerings by incorporating our pre-breach. Risk services into their current catalog. We offer our integrable cybersecurity solution which allows MSPs to focus on their clients’ core IT objectives while providing industry-leading protection against malicious ransomware threats. Our certified engineers respond to thousands of security incidents to improve clients’ operational, procedural, and technical control gaps based on security standards.
If your company is experiencing a breach, call our Security Operations Centers at 833.997.7327 to speak directly with an engineer.