MSP Judgment Day: Ransomware Attacks Threaten Industry Credibility, Reputation
The MSP industry — spanning technology companies, service providers and more — could soon face a “crisis of credibility” if the market doesn’t take major steps to more effectively mitigate ransomware threats, attacks and fallout, ChannelE2E believes.
On the one hand, MSPs (managed IT services providers) and their technology partners deserve major credit for stopping, mitigating and/or recovering customers from ransomware attempts and attacks. But on the other hand, key portions of the MSP industry have failed to raise their defenses despite specific FBI and U.S. Department of Homeland Security warnings to MSPs about such attacks.
Related Research: Total Economic Cost of an MSP Cyberattack
Hackers Poison MSP Tools
There’s a bit of irony here. Many MSPs want to be considered high-end, professional service providers — on par with attorneys, accountants and perhaps even doctors. But imagine if a surgeon walked into an operating room without properly scrubbing down. And imagine if the associated operating tools were infected before you even opened up the patient you’re trying to save.
Scalpels designed for precision MSP surgery are becoming weapons of mass business destruction.
That’s the situation unfolding within the MSP market. Indeed, hackers continue to target RMM (remote monitoring and management), remote access, remote control and cybersecurity software as a springboard into end-customer systems.
Many of the attacks have involved compromised credentials (i.e, user names and passwords) rather than product vulnerabilities. In other words, the tools are basically clean. But inconsistent business practices involving technology vendors and MSPs have occasionally triggered end-customer infections. For instance, why would any MSP leverage basic user name and password practices to lock down their most mission critical IT systems — the very IT systems that extend into end-customer systems?
Also, there’s growing concern about so-called supply chain attacks — which involves hackers injecting malware into vendor software, and then MSPs downloading and deploying that software without knowing about the infection. Once the attackers spring their trap, ransomware typically spreads across MSP and end-customer systems.
Investors Also At Risk: This isn’t just a small business or regional MSP issue. Billions of dollars in private equity investments, venture capital and shareholder returns are at stake. Indeed, the bulk of the MSP technology industry is now backed by some form of third-party funding.
Some MSPs, IT Consultants Pay Hackers for Ransomware Recovery
No doubt, thousands of MSPs and hundreds of vendors have raced to embrace proper risk mitigation, cybersecurity, and data protection strategies for themselves and their customers. But thousands of additional MSPs remain security laggards, ChannelE2E believes. Further complicating matters, any IT support shop can now call itself an MSP simply by activating SaaS-based management tools that offer automation and remote monitoring capabilities.
Meanwhile, the risks are escalating. More than 4,000 ransomware attacks have taken place daily since 2016, or about 1.5 million per year, according to statistics posted by the U.S. Department of Homeland Security, ProPublica reports.
Some of those attacks are hitting MSPs hard. And some service providers are actually opening their wallets — in a bad way — to recover encrypted data.
“You either die a hero, or you live long enough to see yourself become the villain.”
— Harvey Dent, The Dark Knight, 2008
Following one recent attack, an MSP bowed to hacker demands and paid more than $150,000 to recover data. In another ugly twist, some IT consulting firms and cybersecurity companies that claim to clean up ransomware are secretly paying attackers as part of their ransomware recovery services.
Still, paying the ransom doesn’t guarantee that hackers will decrypt hostage data. Even worse, a payment may inspire hackers to return for repeat attacks. Recent SentinelOne research shows us that 45 percent of U.S. companies hit with a ransomware attack paid at least one ransom, but only 26 percent of these companies had their files unlocked. Furthermore, organizations that paid the ransoms were targeted and attacked again 73 percent of the time as attackers treat paying companies like ATMs, according to Chris Bates, VP, security strategy at SentinelOne.
MSPs and Government Agencies: Beware
MSPs that support U.S. towns, cities and government organizations, in particular, should be on high alert. In recent months, ransomware and malware attacks have targeted municipal IT operations, government and transportation systems. Here are some examples:
- June 26, 2019: Lake City, Florida, discloses ransomware attack and payment.
- June 20, 2019: City Riviera Beach, Florida, discloses ransomware attack and payment.
- May 7, 2019: City of Baltimore hit with ransomware attack.
- April 2019: Cleveland Hopkins International Airport suffered a ransomware attack.
- April 2019: Augusta, Maine, suffered a highly targeted malware attack that froze the city’s entire network and forced the city center to close.
- April 2019: Hackers stole roughly $498,000 from the city of Tallahassee.
- March 2019: Albany, New York, suffered a ransomware attack.
- March 2019: Jackson County, Georgia officials paid cybercriminals $400,000 after a cyberattack shut down the county’s computer systems.
- March 2018: Atlanta, Georgia suffered a major ransomware attack.
- February 2018: Colorado Department of Transportation (CDOT) employee computers temporarily were shut down due to a SamSam ransomware virus cyberattack.
That’s a troubling government list. But there certainly are example ransomware attacks across all industry verticals.
MSPs: Protect Your Credibility
So, where does the MSP industry go from here? It’s time for an urgent, industry-wide reset, ChannelE2E believes.
Among the steps ChannelE2E strongly recommends:
- Sign up immediately for U.S. Department of Homeland Security Alerts, which are issued by the Cybersecurity and Infrastructure Security Agency. Some of the alerts specifically mention MSPs, CSPs, telcos and other types of service providers.
- Study the NIST Cybersecurity Framework to understand how to mitigate risk within your own business before moving on to mitigate risk across your customer base.
- Explore cybersecurity awareness training for your business and your end-customers to drive down cyberattack hit rates.
- Connect the dots between your cybersecurity and data protection vendors. Understand how their offerings can be integrated and aligned to (A) prevent attacks, (B) mitigate attacks and (C) recover data if an attack circumvents your cyber defenses.
- Continue to attend channel-related conferences, but extend to attend major cybersecurity events — particularly RSA Conference, Black Hat and Amazon AWS re:Inforce.
The recommendations above require industry-wide commitment. The vast majority of MSPs and technology providers are committed to thwarting ransomware. But MSP market laggards that don’t raise their defenses threaten to tarnish the entire industry’s reputation, ChannelE2E believes.
MSPs and Ransomware: What the Future Holds
How will all this play out?
- In a worst-case scenario, the MSP industry could be torn apart if ransomware-related lawsuits fly between end-customers, MSPs and their technology providers.
- In a best-cast scenario, MSPs and their technology providers emerge as Dark Knights that snuffed out ransomware long before attacks reached end-customer systems.
- Anywhere in-between leaves us with a crime-ridden Gotham that tarnishes the MSP industry as a whole.
Rise to the occasion.
Good write up Joe.
If we let our professional reputation as MSPs become associated with increased risk instead of protection then we have a huge problem. July 4th is around the corner. Holidays are when a lot of these incidents peak in activity. Any large outbreak within MSPs that affect a large number of clients is likely to be picked up by mainstream press. If that happens the message they publish will be that MSPs are dangerous, bring your IT in-house.
I have seen peers revel in the pain of ransomed brethren thinking they’ll pick up business. This is dangerous and short sighted thinking. We will all be suspect as an industry.
We need to validate data that proves MSP clients are safer than non-MSP clients and urge our laggard brethren to improve cyber hygiene.
Great article. As you rightfully pointed out, most of these issues aren’t software breaches, they almost all stem from stolen credentials.
Google’s recent study shows how effective various forms of MFA are against account takeovers stemming from stolen credentials: https://security.googleblog.com/2019/05/new-research-how-effective-is-basic.html
MSPs are still adopting and selling basic security as if it’s an option. Routers and firewalls were security add ons in the ’80s and ’90s, and we wouldn’t create a network without them today. It’s time for the MSP industry to close the basic security adoption gap, and regain their trusted advisor status by mandating proper security controls. Opting out doesn’t protect the MSP or the customer.
“Redouble your efforts. 2FA everything. Use strong authentication on customer-facing applications, any remote access, and cloud-based email. There are examples of 2FA vulnerabilities, but they don’t excuse lack of implementation.”
2019 Verizon Data Breach Investigation Report Summary
Oli, Jeremy: Thanks for weighing in. This has been a strange day. Pieces of the blog have been swirling in my head for a few months. Other pieces surfaced earlier this week. It all came together during a long sit-down at the keyboard on Wednesday morning. By coincidence, another report just surfaced involving China hacking eight major MSPs.
Why I’m upbeat: MSPs from across the industry are hitting my inbox, describing how they’re taking a stand.
Why I’m concerned: I think some companies still view this as a tech sales issue. Sell and activate more products, and we’ll solve the problem. No doubt, there are some great products out there. But I think this only gets solved with (1) true risk assessments, and (2) associated risk mitigation, and a continuous cycle between the two.
-jp
Excellent piece! I agree with Oli and Jeremy. The old saying, “better to be paranoid than dead” sticks here. We need to be ever vigilant. Constantly, reviewing and where necessary upgrading your security solution stack, this includes education, and policies management. Did I mention education? It’s the little things here, attention to detail and did I mention education?
Great article Joe. Our team was discussing this earlier this week. In its simplest form, we equated it to the safety check that airlines give before a flight. If the oxygen masks fall from the overhead console due to loss of air pressure, put the mask on yourself first before helping others. Protect your MSP first.
I think Jeremy Young nailed it too. Don’t shortcut because you think your team knows better. MSP networks can’t have holes. Implement the best practices and tools that drive security BEFORE it happens to you.
Joe:
This popped up in my feed today and it is doubly more valid than the day you wrote it. I am sitting in the Nashville airport right now. Last night as I prepared for my flight home today and ruminate over the Kaseya attack a comparison struck me. A year ago a MSP friend of mine rejoiced in his primary cross town competitor getting Ransomware. He viewed it as an opportunity to pick up some of their business. But Southwest Airlines can’t rejoice when an American Airlines jet crashes. Southwest won’t pick up more passengers. Instead, fliers will lose confidence and stop flying. It is in the vital interest of the whole airline industry that all flights safely reach their destination or the whole industry suffers. So goes it with MSPs and ransomware.
Hey Oli: Safe travels, and thanks for your ongoing readership. I know there’s no single solution to protect the MSP industry from ransomware attacks. But I think the overall MSP market (vendors and their MSP partners) was put on notice in May 2021, when President Biden’s executive order on cybersecurity specifically mentioned IT service providers a dozen or more times. You gotta wonder if national regulations are coming sooner rather than later…
-jp