How to Fight Cyberattackers Who Target MSPs
… lost access to their email and databases. Even further, as you can imagine, the ransom was not cheap. Bye bye, Christmas bonus …
3. GandCrab Ransomware
And the award goes to … GandCrab as the most prolific ransomware variant in terms of sheer volume of infections! This thing is an MSP nightmare. And unfortunately, that nightmare came to life recently.
In early February, a midsize MSP’s 80 clients became infected with ransomware. An estimated 1,500-2,000 client systems were encrypted, with a ransom demand of $2.6 million. $2.6 million! Yikes.
Again, adding insult to injury (hackers are so good at that, aren’t they … ), attackers had utilized the MSP’s own RMM tool to deploy the ransomware, making them the ones at fault.
The culprit? An outdated ConnectWise ManagedITSync integration plug-in for Kaseya VSA. Apparently the issue had been raised, but updates resolving the issue had not been applied correctly, if at all.
As a result, attackers were able to sneak in and gain administrative access to the MSP’s Kaseya RMM tool and use it to deploy GandCrab to every … single … endpoint under the MSP’s management.
The targeted nature of the attack and the high ransom amount is new territory for GandCrab actors. Until this instance, they had mostly deployed the ransomware using exploit kits and haphazard/random spam campaigns. It’s yet another arrow pointing to the fact that there has been a significant shift and a growing trend of coordinated, targeted attacks.
OK, So Now What?
Attackers are going after the MSP-client relationship. If the recent wave of GandCrab attacks is any evidence, the very tools that MSPs use to serve their customers can be used against them. Not so great for the MSP-client relationship.
Brian Downey, senior director of product management, security, at Continuum, weighs in on the implications for MSPs.
“The channel is now the target for cybercriminals,” says Downey. “Gaining access into an MSP’s service network can provide access to the individual customers they serve.
“The implications for MSPs are significant. End-clients will be asking their providers if their businesses are safe, if they’re at risk, and what steps the MSP is taking to prevent a similar attack,” he added. “If an MSP can’t confidently answer these questions in detail, they risk losing their clients to a provider who can. The liabilities to the MSP are becoming existential.”
Pretty dismal-sounding, but there are things MSPs can do to make it much harder for attackers to parachute in a wreak havoc on your network and precious data. Here are five key things to remember:
- Restrict access across your network (duh).
- For the love of God, secure your RMM and other remote access tools.
- Protect your users and lock down their endpoints.
- Actively monitor your own network for signs of compromise.
- Have an incident response plan ready (again, duh).
- Page 1
- Page 2