Last year cybercriminals pulled off a multi-million-dollar heist of the largest petroleum pipeline operator in the United States. Before encrypting and holding the company for ransom, cybercriminals stole over 100GB of data. Colonial Pipeline took its pipeline offline for five days to contain the incident and paid the $4.4 million ransom to recover its data. The cyberattacks caused gas and jet fuel shortages across the East Coast that resulted in panic buying and generated extensive media attention. However, the more fascinating aspects of the attack received less attention: the group behind the ransomware attack, the enormous cybercriminal industry in which they participate, and the continuously growing threat that MSPs face.
The entire cybercriminal industry is built on exploiting MSPs to rob clients blind. Similar to how rival MSPs compete for business, a group of threat operators is banding together to steal it. The FBI identified DarkSide, the ransomware group responsible for the Colonial Pipeline breach, is one of the multiple participants in one of the numerous areas that comprise the cybercrime industry. DarkSide created a ransomware-as-a-service (RaaS) tool that cybercriminals can use to encrypt data and negotiate ransoms. The group explains they’re only driven by profit and only target companies with sufficient funds for the ransom. Additionally, the group stated it doesn’t target healthcare organizations, charities, or government agencies and it thoroughly screens clients and their targets before licensing its ransomware.
The cybercrime industry is extensive with various products and services available. Ransomware-as-a-Service platforms represent a small fragment of what the cybercrime industry offers. Cybercriminals can purchase and sell everything from stolen data and credentials to off-the-shelf tools and services that aid threat operators in their heists. Additionally, cybercriminals can rent botnets to launch DDoS attacks on their targets. DarkSide and other cybercriminal groups operate in the same ways any ordinary business would.
Ransomware groups have employees, set monthly and quarterly goals, compete for clients with other companies, form strategic collaborations with other groups, and are concerned about their reputation. The ransomware groups have websites where they advertise products and services along with publishing advertisements for open positions within the organization. They even promise that a portion of their profits will be donated to charitable organizations, although many charitable organizations have given back funds.
It’s difficult to say how much money cybercriminals make each year. Because not all attacks are reported, any study can only provide a partial picture. However, the global cost of cybercrime can be calculated; it was more $7 trillion in 2022, a slight increase from $6 trillion in 2021. The costs are attributed to system downtime, damage to companies’ reputation, IP theft, recovery costs, and insurance costs; however, it doesn’t include the value of ransoms collected or data stolen.
The lockdowns from the COVID-19 pandemic were the pinnacle of digital transformation. However, it created ideal conditions for cybercriminals to thrive. Lockdowns forced companies, particularly small and medium-sized businesses (SMBs), to figure out new ways to work, including digitizing and migrating processes to the cloud. However, with anything new, there were a few issues. Unfortunately, not every problem is made equal, particularly when it is a bad configuration that allows anyone to steal and ransom all your data. About 70% of companies that housed data or workloads on the public cloud encountered at least one security incident. Additionally, threat intelligence indicates two of every three companies leave back doors open in the cloud that threat operators can exploit. Only one in four respondents considered lacking expertise on staff was a problem.
Ransomware groups have become more sophisticated over time, honing their tactics to maximize the revenue they can generate. Ransomware attacks have become a best practice for ransomware groups. The groups not only encrypt companies’ data until they pay for a key, but they steal a copy of companies’ data. It allows ransomware groups to demand two ransoms: one for a decryption tool for companies to unlock their data and another to ensure the stolen data is destroyed. Because victims can restore the encrypted data from a backup, they won’t have to pay for a key. The extra threat of disclosing stolen data to the public or the higher bidder, data including sensitive customer information, trade secrets, contracts, unflattering internal emails, and memos, increases the likelihood of a payout for each victim infected. With double ransom, backing up data won’t always protect them from the impacts of ransomware attacks. Colonial Pipeline Co. paid the ransom despite that they were already restoring their systems from backups. Companies should always back up their data in case of ransomware attacks and ideally, companies want to prevent the attacks from happening, which is a lot easier said than done.
When people focus on ransomware attacks on MSPs, the ransoms rise, and the threat actors become more serious. The average ransom for an MSP in 2021 was $812,000 and nation-state threat actors are focusing their attention on MSPs. Financially motivated threat operators are interested in MSPs because smaller MSPs have fewer resources to defend against threat operators than larger companies. Additionally, breaching an MSP means threat operators only need to crack one lock to open hundreds of doors. However, MSPs need to be concerned about more than ransomware. MSPs are sometimes used as a conduit to support other forms of attacks on their clients.
The SolarWinds attack in 2020 is a prime example of how valuable a target MSPs can be. Threat operators inserted malicious code into the SolarWinds Orion codebase that was distributed to clients all over the world. Threat operators gained access to clients’ networks using the network management tool, including local, state, and federal government organizations. Not every MSP has the resources or personnel to implement robust security solutions. There’s no shortage of security solutions and services that can assist MSPs in keeping their name and their clients’ names out of the press. MSPs can partner with cybersecurity companies that offer robust security features, including Security Operations Center.
Even though MSPs believe their data isn’t valuable to threat operators, they’re still a target. Their data is valuable, and the threat operators will find innovative ways to sell it to those who want to buy it. Even if MSPs allow the threat actors to release their data to the world, the disruption threat actors can cause to companies would be disastrous. It’s important for MSPs and their clients to always remain alert on the current threat landscape and maintain backups of data networks off-site. By incorporating SpearTip’s pre-breach risk services into MSPs’ current catalog, they can upsell their security offerings. SpearTip’s engineers’ extensive experience in responding to thousands of security incidents improves MSPs’ clients’ operational, procedural, and technical control gaps based on security standards. SpearTip offers the ShadowSpear Platform, our cutting-edge integrable managed detection and response tool, that allows MSPs to focus on their clients’ core IT objectives while providing industry-leading protection against malicious cyber threats.
If your company is experiencing a breach, call our Security Operations Centers at 833.997.7327 to speak directly with an engineer.