An abstract design of a terminal display, warning about a cyber attack. Multiple rows of hexadecimal code are interrupted by red glowing warnings and single character exclamation marks. The image can represent a variety of threats in the digital world: data theft, data leak, security breach, intrusion, anti-virus failure, etc…
In 2019, hacking activity shifted to focus on managed service providers (MSPs). It became clear that MSPs needed more business-specific information to protect their business and customers proactively, so ConnectWise created the annual MSP Threat Report. We are pleased to announce that the 2022 MSP Threat Report is now available.Author: Bryson Medlock, threat intelligence evangelist, ConnectWise Cyber Research Unit, ConnectWiseIn 2021, ConnectWise created the Cyber Research Unit (CRU), a dedicated team of threat hunters that identifies new vulnerabilities, researches them, and shares what they find for all to see in the community. The CRU monitors ransom leak sites and malicious botnets for new threats, uses OSINT resources, and uses data from the ConnectWise SIEM powered by Perch to help create content and complete research. Throughout 2021, the CRU collected data regarding 500 cybersecurity incidents from our MSP partners and their clients. The 2022 MSP Threat Report is the output of this research.
Two significant events that changed the threat landscape
The 2022 MSP Threat Report includes a timeline of significant cybersecurity in 2021. The threat landscape changed drastically in 2021 due to a few significant events. The most impactful events for our MSP partners included the Colonial Pipeline ransomware attack in May by DarkSide and the buffalo jump attack during the July 4 weekend, which impacted over 40 MSPs and 1500 of their clients in a single day using a vulnerability in Kaseya VSA.
1. Impact of the Colonial Pipeline attack
The Colonial Pipeline attack caused a shutdown of a major oil pipeline that carries gasoline, diesel, and jet fuel from Texas to the East Coast. It resulted in fuel shortages and panic buying throughout the region. The attack prompted several official responses by the US government, and the attention disrupted the cybercrime community.After the attack, popular cybercrime forums, XSS and Exploit, which have been used for years by ransomware-as-a-service (RaaS) gangs to recruit new affiliates, banned the advertisement of RaaS programs. DarkSide, the RaaS gang believed to be responsible for the Colonial Pipeline attack, released a public statement that said attacks by their affiliates against critical infrastructure were banned. In fact, after the attack and US response, many ransomware groups have become more selective, avoiding critical infrastructure or victims that could create a political impact.
2. Impact of the July 2 MSP attack
After the attack targeted more than 40 MSPs in a single day, ransomware operators increased their focus on attacking MSPs directly. It should come as no surprise that CRU observations match others that the ransomware problem continues to get worse. For example, as a report by SonicWall indicates, there was a 148% surge in global ransomware attacks in 2021. Similarly, the CRU observed a 10-15% increase in ransomware incidents by quarter in 2021, with 56% of all incidents occurring in the second half of 2021. When filtering the data collected only to include MSPs and not their clients, our data shows that 72% of ransomware attacks directly targeting MSPs occurred in the second half of 2021. This data suggests that, at least for ConnectWise partners, ransomware threat actors were more focused on targeting MSPs directly rather than their clients.
The “2022 MSP Threat Report” concludes with four predictions for 2022. (We covered these predictions in a webinar at the end of 2021, available here.) These four predictions include:
How the anatomy of an MSP will change
Federal regulators and legislators will create rules on ransomware payments in 2022
The SMB market will spend more in 2022
Threat actors will change tactics to stay under the radar
