Subscribe To Our Daily Enewsletter:

MSP Judgment Day: Ransomware Attacks Threaten Industry Credibility, Reputation

The MSP industry — spanning technology companies, service providers and more — could soon face a “crisis of credibility” if the market doesn’t take major steps to more effectively mitigate ransomware threats, attacks and fallout, ChannelE2E believes.

On the one hand, MSPs (managed IT services providers) and their technology partners deserve major credit for stopping, mitigating and/or recovering customers from ransomware attempts and attacks. But on the other hand, key portions of the MSP industry have failed to raise their defenses despite specific FBI and U.S. Department of Homeland Security warnings to MSPs about such attacks.

There’s a bit of irony here. Many MSPs want to be considered high-end, professional service providers — on par with attorneys, accountants and perhaps even doctors. But imagine if a surgeon walked into an operating room without properly scrubbing down. And imagine if the associated operating tools were infected before you even opened up the patient you’re trying to save.

Scalpels designed for precision MSP surgery are becoming weapons of mass business destruction.

That’s the situation unfolding within the MSP market. Indeed, hackers continue to target RMM (remote monitoring and management), remote access, remote control and cybersecurity software as a springboard into end-customer systems.

Many of the attacks have involved compromised credentials (i.e, user names and passwords) rather than product vulnerabilities. In other words, the tools are basically clean. But inconsistent business practices involving technology vendors and MSPs have occasionally triggered end-customer infections. For instance, why would any MSP leverage basic user name and password practices to lock down their most mission critical IT systems — the very IT systems that extend into end-customer systems?

Investors Also At Risk: This isn’t just a small business or regional MSP issue. Billions of dollars in private equity investments, venture capital and shareholder returns are at stake. Indeed, the bulk of the MSP technology industry is now backed by some form of third-party funding.

Some MSPs, IT Consultants Pay Hackers for Ransomware Recovery

No doubt, thousands of MSPs and hundreds of vendors have raced to embrace proper risk mitigation, cybersecurity, and data protection strategies for themselves and their customers. But thousands of additional MSPs remain security laggards, ChannelE2E believes. Further complicating matters, any IT support shop can now call itself an MSP simply by activating SaaS-based management tools that offer automation and remote monitoring capabilities.

Meanwhile, the risks are escalating. More than 4,000 ransomware attacks have taken place daily since 2016, or about 1.5 million per year, according to statistics posted by the U.S. Department of Homeland Security, ProPublica reports.

Some of those attacks are hitting MSPs hard. And some service providers are actually opening their wallets — in a bad way — to recover encrypted data.


“You either die a hero, or you live long enough to see yourself become the villain.”

— Harvey Dent, The Dark Knight, 2008


Following one recent attack, an MSP bowed to hacker demands and paid more than $150,000 to recover data. In another ugly twist, some IT consulting firms and cybersecurity companies that claim to clean up ransomware are secretly paying attackers as part of their ransomware recovery services.

Still, paying the ransom doesn’t guarantee that hackers will decrypt hostage data. Even worse, a payment may inspire hackers to return for repeat attacks. Recent SentinelOne research shows us that 45 percent of U.S. companies hit with a ransomware attack paid at least one ransom, but only 26 percent of these companies had their files unlocked. Furthermore, organizations that paid the ransoms were targeted and attacked again 73 percent of the time as attackers treat paying companies like ATMs, according to Chris Bates, VP, security strategy at SentinelOne.

MSPs and Government Agencies: Beware

MSPs that support U.S. towns, cities and government organizations, in particular, should be on high alert. In recent months, ransomware and malware attacks have targeted municipal IT operations, government and transportation systems. Here are some examples:

That’s a troubling government list. But there certainly are example ransomware attacks across all industry verticals.

MSPs: Protect Your Credibility

So, where does the MSP industry go from here? It’s time for an urgent, industry-wide reset, ChannelE2E believes.

Among the steps ChannelE2E strongly recommends:

  1. Sign up immediately for U.S. Department of Homeland Security Alerts, which are issued by the Cybersecurity and Infrastructure Security Agency. Some of the alerts specifically mention MSPs, CSPs, telcos and other types of service providers.
  2. Study the NIST Cybersecurity Framework to understand how to mitigate risk within your own business before moving on to mitigate risk across your customer base.
  3. Explore cybersecurity awareness training for your business and your end-customers to drive down cyberattack hit rates.
  4. Connect the dots between your cybersecurity and data protection vendors. Understand how their offerings can be integrated and aligned to (A) prevent attacks, (B) mitigate attacks and (C) recover data if an attack circumvents your cyber defenses.
  5. Continue to attend channel-related conferences, but extend to attend major cybersecurity events — particularly RSA Conference, Black Hat and Amazon AWS re:Inforce.

The recommendations above require industry-wide commitment. The vast majority of MSPs and technology providers are committed to thwarting ransomware. But MSP market laggards that don’t raise their defenses threaten to tarnish the entire industry’s reputation, ChannelE2E believes.

MSPs and Ransomware: What the Future Holds

How will all this play out?

  • In a worst-case scenario, the MSP industry could be torn apart if ransomware-related lawsuits fly between end-customers, MSPs and their technology providers.
  • In a best-cast scenario, MSPs and their technology providers emerge as Dark Knights that snuffed out ransomware long before attacks reached end-customer systems.
  • Anywhere in-between leaves us with a crime-ridden Gotham that tarnishes the MSP industry as a whole.

Rise to the occasion.

Related Content

Return Home

5 Comments

Comments

    Oli:

    Good write up Joe.

    If we let our professional reputation as MSPs become associated with increased risk instead of protection then we have a huge problem. July 4th is around the corner. Holidays are when a lot of these incidents peak in activity. Any large outbreak within MSPs that affect a large number of clients is likely to be picked up by mainstream press. If that happens the message they publish will be that MSPs are dangerous, bring your IT in-house.
    I have seen peers revel in the pain of ransomed brethren thinking they’ll pick up business. This is dangerous and short sighted thinking. We will all be suspect as an industry.
    We need to validate data that proves MSP clients are safer than non-MSP clients and urge our laggard brethren to improve cyber hygiene.

    Jeremy Young:

    Great article. As you rightfully pointed out, most of these issues aren’t software breaches, they almost all stem from stolen credentials.
    Google’s recent study shows how effective various forms of MFA are against account takeovers stemming from stolen credentials: https://security.googleblog.com/2019/05/new-research-how-effective-is-basic.html

    MSPs are still adopting and selling basic security as if it’s an option. Routers and firewalls were security add ons in the ’80s and ’90s, and we wouldn’t create a network without them today. It’s time for the MSP industry to close the basic security adoption gap, and regain their trusted advisor status by mandating proper security controls. Opting out doesn’t protect the MSP or the customer.

    “Redouble your efforts. 2FA everything. Use strong authentication on customer-facing applications, any remote access, and cloud-based email. There are examples of 2FA vulnerabilities, but they don’t excuse lack of implementation.”

    2019 Verizon Data Breach Investigation Report Summary

    Joe Panettieri:

    Oli, Jeremy: Thanks for weighing in. This has been a strange day. Pieces of the blog have been swirling in my head for a few months. Other pieces surfaced earlier this week. It all came together during a long sit-down at the keyboard on Wednesday morning. By coincidence, another report just surfaced involving China hacking eight major MSPs.

    Why I’m upbeat: MSPs from across the industry are hitting my inbox, describing how they’re taking a stand.

    Why I’m concerned: I think some companies still view this as a tech sales issue. Sell and activate more products, and we’ll solve the problem. No doubt, there are some great products out there. But I think this only gets solved with (1) true risk assessments, and (2) associated risk mitigation, and a continuous cycle between the two.

    -jp

    David Dadian:

    Excellent piece! I agree with Oli and Jeremy. The old saying, “better to be paranoid than dead” sticks here. We need to be ever vigilant. Constantly, reviewing and where necessary upgrading your security solution stack, this includes education, and policies management. Did I mention education? It’s the little things here, attention to detail and did I mention education?

    Jay Ryerse:

    Great article Joe. Our team was discussing this earlier this week. In its simplest form, we equated it to the safety check that airlines give before a flight. If the oxygen masks fall from the overhead console due to loss of air pressure, put the mask on yourself first before helping others. Protect your MSP first.

    I think Jeremy Young nailed it too. Don’t shortcut because you think your team knows better. MSP networks can’t have holes. Implement the best practices and tools that drive security BEFORE it happens to you.

Leave a Reply

Your email address will not be published. Required fields are marked *