Channel, Networking

Everything MSPs and MSSPs Need to Know About Ransomware

Alas, 2020 was a banner year for ransomware. And 2021 might be worse. The ransomware business is booming.

High returns are motivating more cybercriminals to explore this lucrative economy.

Unfortunately, no one is off limits. Not the hospitals on the front lines treating critically ill COVID-19 patients where it’s a matter of life or death, not school districts working around the clock to maintain safe in-person learning, and not IT organizations tasked with enabling thousands of employees to work from home.

The fact that ransomware gangs, like Ryuk, have attacked hundreds of healthcare providers this year, while the world is in the middle of a historic pandemic, goes to show how ruthless these criminals really are. We’ve seen a gold rush of recent devastating attacks that’s unlike anything the cybersecurity industry has ever experienced, and there’s no sign of them slowing down.

Staying one step ahead of ransomware gangs means being vigilant, proactive, and prepared. MSPs and MSSPs also need to understand the ways in which they themselves are at risk.

Cybercriminals are infecting MSPs and MSSPs with the goal of then reaching their customers’ systems in turn. Responding to an attack is costly, whether you’re spending time finding ways to decrypt files yourself or shelling out money for a ransom. Either way, ransomware attacks can result in lost business productivity and potentially business-threatening downtime, and there’s more MSPs and MSSPs could be doing to guard against these threats.

Let’s take a closer look at today’s ransomware landscape and how MSPs and MSSPs can help organizations stay protected.

How ransomware attacks start

There are a few common techniques used among attackers, including three ways ransomware attacks tend to start. Attackers might send malicious phishing emails that look legitimate, but are designed to get the target to open or download an attachment. By opening those attachments, ranging from Word documents with macros to JavaScript files disguised as .txt files, victims unwittingly install the ransomware on their system.

Another common way to get infected is through poisoned websites: legitimate websites that have been infected with an exploit kit. Users might hover over an ad or click on something that looks innocent. In some cases, just visiting the page is enough to accidentally install ransomware on the computer and run it.

A third technique, often used to infiltrate MSP and MSSP networks, involves exploiting Remote Desktop Protocol (RDP) and other remote access holes. Each computer running RDP is a potential gateway into an organization’s internal network – and they’re often protected by nothing more than a username and password. Attackers have found great success guessing individual passwords, sometimes by brute force, to gain access to corporate networks and conduct ransomware attacks.

How ransomware attacks unfold

After the initial exposure, there are two ways ransomware attacks typically unfold: what we call “fire and forget,” or targeted ransomware.

Fire and forget attacks aim for a high volume of smaller ransoms. Cybercriminals launch an attack aimed at a number of organizations, and they use automated techniques to try to infect as many computers as possible. Here’s how this might play out: After using a malicious email or compromised website to gain entry, attackers then download ransomware which encrypts files and deliver a ransom note demanding payment to decrypt those files.

Targeted ransomware, on the other hand, focus on one victim at a time, but demand much higher ransom fees. These manual attacks tend to gain access to a network through RDP or malware. They then move laterally through the network, escalating their privileges to administrator, spreading ransomware that encrypts files, and ultimately demanding a ransom.

How to stay protected

It should come as no surprise that ransomware attacks can be incredibly costly for MSPs and MSSPs. Trying to avoid downtime and data loss requires a proactive approach with advanced protection at every stage of an attack, from network protection to securing endpoints.

Having effective security products isn’t all it takes, however.

The best way to detect and stop active threats is with human-led threat hunting. Trained experts, like those available with Sophos Managed Threat Response and Sophos Rapid Response, know the subtle indicators and red flags to look for; they know how to spot a legitimate tool being used illegitimately in a way that automated detection tools may miss.

Endpoint detection and response (EDR) is essential as a foundational tool, but adding sets of 24/7 expert human eyes will ensure more effective protection and better security outcomes.

Furthermore, educating employees about ransomware and the phishing techniques commonly used to launch attacks can help stem attacks at their access point. For MSPs and MSSPs, this means both educating your employees and providing resources for customer education, as well.

To that end, here are a few security best practices to keep in mind.

  • Always be cautious about unsolicited email attachments, and don’t enable macros in attachments received via email.
  • Open JavaScript (.JS) files in Notepad so you can scan the file contents for malicious code first.
  • Enable two-factor authentication.
  • Either implement Tamper Protection or lower user privileges from Admin on the local PC, to prevent the uninstallation of security services.
  • Apply patches early and often. Use strong passwords and change them often.
  • And as always, backup regularly and keep a backup file off-line and off-site.

Guest blog courtesy of at Sophos. Read more Sophos blogs here.