MSP Judgment Day: Ransomware Attacks Threaten Industry Credibility, Reputation
The MSP industry — spanning technology companies, service providers and more — could soon face a “crisis of credibility” if the market doesn’t take major steps to more effectively mitigate ransomware threats, attacks and fallout, ChannelE2E believes.
On the one hand, MSPs (managed IT services providers) and their technology partners deserve major credit for stopping, mitigating and/or recovering customers from ransomware attempts and attacks. But on the other hand, key portions of the MSP industry have failed to raise their defenses despite specific FBI and U.S. Department of Homeland Security warnings to MSPs about such attacks.
Related Research: Total Economic Cost of an MSP Cyberattack
Hackers Poison MSP Tools
There’s a bit of irony here. Many MSPs want to be considered high-end, professional service providers — on par with attorneys, accountants and perhaps even doctors. But imagine if a surgeon walked into an operating room without properly scrubbing down. And imagine if the associated operating tools were infected before you even opened up the patient you’re trying to save.
Scalpels designed for precision MSP surgery are becoming weapons of mass business destruction.
That’s the situation unfolding within the MSP market. Indeed, hackers continue to target RMM (remote monitoring and management), remote access, remote control and cybersecurity software as a springboard into end-customer systems.
Many of the attacks have involved compromised credentials (i.e, user names and passwords) rather than product vulnerabilities. In other words, the tools are basically clean. But inconsistent business practices involving technology vendors and MSPs have occasionally triggered end-customer infections. For instance, why would any MSP leverage basic user name and password practices to lock down their most mission critical IT systems — the very IT systems that extend into end-customer systems?
Also, there’s growing concern about so-called supply chain attacks — which involves hackers injecting malware into vendor software, and then MSPs downloading and deploying that software without knowing about the infection. Once the attackers spring their trap, ransomware typically spreads across MSP and end-customer systems.
Investors Also At Risk: This isn’t just a small business or regional MSP issue. Billions of dollars in private equity investments, venture capital and shareholder returns are at stake. Indeed, the bulk of the MSP technology industry is now backed by some form of third-party funding.
Some MSPs, IT Consultants Pay Hackers for Ransomware Recovery
No doubt, thousands of MSPs and hundreds of vendors have raced to embrace proper risk mitigation, cybersecurity, and data protection strategies for themselves and their customers. But thousands of additional MSPs remain security laggards, ChannelE2E believes. Further complicating matters, any IT support shop can now call itself an MSP simply by activating SaaS-based management tools that offer automation and remote monitoring capabilities.
Meanwhile, the risks are escalating. More than 4,000 ransomware attacks have taken place daily since 2016, or about 1.5 million per year, according to statistics posted by the U.S. Department of Homeland Security, ProPublica reports.
Some of those attacks are hitting MSPs hard. And some service providers are actually opening their wallets — in a bad way — to recover encrypted data.
“You either die a hero, or you live long enough to see yourself become the villain.”
— Harvey Dent, The Dark Knight, 2008
Following one recent attack, an MSP bowed to hacker demands and paid more than $150,000 to recover data. In another ugly twist, some IT consulting firms and cybersecurity companies that claim to clean up ransomware are secretly paying attackers as part of their ransomware recovery services.
Still, paying the ransom doesn’t guarantee that hackers will decrypt hostage data. Even worse, a payment may inspire hackers to return for repeat attacks. Recent SentinelOne research shows us that 45 percent of U.S. companies hit with a ransomware attack paid at least one ransom, but only 26 percent of these companies had their files unlocked. Furthermore, organizations that paid the ransoms were targeted and attacked again 73 percent of the time as attackers treat paying companies like ATMs, according to Chris Bates, VP, security strategy at SentinelOne.
MSPs and Government Agencies: Beware
MSPs that support U.S. towns, cities and government organizations, in particular, should be on high alert. In recent months, ransomware and malware attacks have targeted municipal IT operations, government and transportation systems. Here are some examples:
- June 26, 2019: Lake City, Florida, discloses ransomware attack and payment.
- June 20, 2019: City Riviera Beach, Florida, discloses ransomware attack and payment.
- May 7, 2019: City of Baltimore hit with ransomware attack.
- April 2019: Cleveland Hopkins International Airport suffered a ransomware attack.
- April 2019: Augusta, Maine, suffered a highly targeted malware attack that froze the city’s entire network and forced the city center to close.
- April 2019: Hackers stole roughly $498,000 from the city of Tallahassee.
- March 2019: Albany, New York, suffered a ransomware attack.
- March 2019: Jackson County, Georgia officials paid cybercriminals $400,000 after a cyberattack shut down the county’s computer systems.
- March 2018: Atlanta, Georgia suffered a major ransomware attack.
- February 2018: Colorado Department of Transportation (CDOT) employee computers temporarily were shut down due to a SamSam ransomware virus cyberattack.
That’s a troubling government list. But there certainly are example ransomware attacks across all industry verticals.
MSPs: Protect Your Credibility
So, where does the MSP industry go from here? It’s time for an urgent, industry-wide reset, ChannelE2E believes.
Among the steps ChannelE2E strongly recommends:
- Sign up immediately for U.S. Department of Homeland Security Alerts, which are issued by the Cybersecurity and Infrastructure Security Agency. Some of the alerts specifically mention MSPs, CSPs, telcos and other types of service providers.
- Study the NIST Cybersecurity Framework to understand how to mitigate risk within your own business before moving on to mitigate risk across your customer base.
- Explore cybersecurity awareness training for your business and your end-customers to drive down cyberattack hit rates.
- Connect the dots between your cybersecurity and data protection vendors. Understand how their offerings can be integrated and aligned to (A) prevent attacks, (B) mitigate attacks and (C) recover data if an attack circumvents your cyber defenses.
- Continue to attend channel-related conferences, but extend to attend major cybersecurity events — particularly RSA Conference, Black Hat and Amazon AWS re:Inforce.
The recommendations above require industry-wide commitment. The vast majority of MSPs and technology providers are committed to thwarting ransomware. But MSP market laggards that don’t raise their defenses threaten to tarnish the entire industry’s reputation, ChannelE2E believes.
MSPs and Ransomware: What the Future Holds
How will all this play out?
- In a worst-case scenario, the MSP industry could be torn apart if ransomware-related lawsuits fly between end-customers, MSPs and their technology providers.
- In a best-cast scenario, MSPs and their technology providers emerge as Dark Knights that snuffed out ransomware long before attacks reached end-customer systems.
- Anywhere in-between leaves us with a crime-ridden Gotham that tarnishes the MSP industry as a whole.
Rise to the occasion.