Guest Column | February 7, 2019

How MSPs Can Protect Clients From Ever-More Sophisticated Ransomware Attacks

By Chris Jann, Medicus IT

Ransomware  Concerns Grow

MSPs responsible for securing their clients’ technology environments ought to be well aware of ransomware’s rising threat. Such attacks are only becoming more complex and prevalent, as bad actors have actually evolved their criminal enterprises and practices to closely resemble software development companies. And, just like at any software-based business, the bad guys now pay close attention to the ROI of their attacks and iterate their ransomware and techniques to optimize performance.

For example, today’s digital thieves can easily purchase one million active email addresses from the dark web, then bulk-send phishing emails containing ransomware to each of them at a total cost of only $600. Some percentage of those emails will be opened by end users, instantly unleashing malware onto their endpoint devices. Once active, the ransomware encrypts access to whatever data and systems it can and informs the unfortunate business or individual that their data is being held hostage and will be lost forever unless the ransom is paid. The criminals will have already calculated the expected success rate and end profit generated from these attacks.

In another nod to the mainstream software industry, attackers can now enlist Ransomware-as-a-Service providers to utilize effective malware with no need to develop or manage it themselves. Yep, upstanding security MSPs now have an evil twin, so to speak: While your MSP business seeks to provide clients with better protections, there are criminal managed service providers offering criminal clients better attacks.

Like any business, ransomware attackers have been increasing their margins by refining their “customer” targeting. Overall, ransomware attacks have swelled 229 percent over the last year. Some verticals are getting hit worse than others: Attacks on automotive industry businesses have shot up 400 percent in that time, as attackers have found fertile targets that are both vulnerable and particularly dependent on their own data.

For MSPs and the businesses they serve, defending against these attacks requires a multi-layered defense, incorporating encryption, powerful endpoint access controls, and backup and disaster recovery (alongside sophisticated employee training regimens and carefully designed policies). Having every layer in place is critical to a complete strategy here.

For our own MSP practice, Beachhead’s SimplySecure (for encryption and access control) and Datto (for backup and disaster recovery) have been formidable defenders within our arsenal, but alone not quite sufficient. Phishing and spearphishing attacks (in which social engineering is used against specific targets, such as an employee receiving what convincingly appears to be an email from their boss saying to click a link) have become much more difficult to recognize. At the same time, employees are both the frontline defenders against data breaches, and the weakest links in that defense from a security standpoint, often able to capsize the entire security strategy with a click.

To address this, many MSPs are providing businesses with solutions that simplify the management and oversight of employee training in best practices and specific company policies. Breach Secure Now! is an example of another layer here; it allows each employee’s training progress to be tracked, certifies employees in their knowledge of best practices and policies, and puts them to the test with realistic phishing emails to see if they’ll truly keep data secure.

At the same time, managed providers must practice diligence in continuing to adapt and embrace new built-for-MSP tools equipped to defeat criminals’ latest techniques. Criminals certainly won’t stop iterating ransomware to become more effective against current security practices and countermeasures, a reality that’s especially clear in the area of data backup technology. Data backups are a thorn in the side of these criminals: even when a business allows ransomware to encrypt its data, if it has a backup of that data elsewhere then there’s no need to pay the ransom. Criminals have become well aware of this and have adapted their malware to attack data backups as well, even encrypting data backed up into cloud storage.

Backup solutions providers have introduced further countermeasures, delivering the means to practice the 3-2-1 rule: Maintain three copies of data on at least two different types of media (with one “airgapped,” or stored off-network where it cannot be infected directly). In a response to that response, ransomware criminals now have ransomware designed to utilize “attack loops,” in which malware will remain inactive for many months before activating — like a time bomb.

Due to this dormancy, businesses will unknowingly backup the ransomware to the airgapped data copy. Only when attackers ask for their ransom does the business discover that even their most secure data backups have been encrypted as well. By remaining aware of the latest moves in this cat-and-mouse game, MSPs can protect clients with the latest and most secure practices and solutions.

Security-minded MSPs should expect the work of defending against ransomware to be ongoing, and to require increasing diligence as the sophistication of attacks and responses only continues to escalate.

About The Author

Chris Jann is the President and CEO of Medicus IT, a healthcare-focused MSP serving the Southeast United States.