Cybersecurity Roundup: MSP Ransomware Update, McAfee, Secureworks-Microsoft, Exabeam

This summer's ransomware attack that hit 22 Texas cities was through an MSP.

Edward Gately, Senior News Editor

November 5, 2019

10 Min Read
Cybersecurity Roundup, security roundup

The number of MSPs that have been compromised by ransomware continues mounting, with the total number reaching 13 since the start of the year, according to a new report by Armor, a global cloud security provider.

Armor has identified six new MSPs and/or cloud-based service providers that have been compromised. What appears to be three of the most damaging ransomware attacks against MSPs involved dental practices and municipalities, such as PerCSoft, a Wisconsin-based MSP that offers technology solutions including computers, software, digital equipment, phone systems and audio, and PM Consultants, an Oregon-based MSP providing IT consulting services to dental practices including software updates and backups, according to Armor.

To find out more about why a growing number of MSPs are being targeted, we spoke with Ryan Smith, Armor’s director of product management.

CF: Why are so many MSPs being targeted with ransomware? What makes them attractive targets?


Armor’s Ryan Smith

Ryan Smith:  As with any series of cyberattacks, Armor believes that the ransomware attacks against MSPs are a mix of both targeted and opportunistic attacks. In other words, we believe that many of the threat actors are initially doing the ‘spray and pray attacks,’  whereby they launch widespread, indiscriminate attacks not targeting any particular type of organization. Once they have acquired a list of initial victims, they comb through their victim list looking for the really desirable victim organizations. Upon seeing that they have snared an MSP,  they then download their ransomware.

Being able to compromise an MSP makes a very attractive target because it gives the attacker a ‘one to many’ scenario. In other words, by hitting one MSP they can potentially infect all or many of an MSP’s customers. We saw this with PerCSoft. Approximately 400 of their dental practice customers were seriously impacted by the attack. We also saw this with the TSM Consulting. They suffered a notable ransomware attack in August, that in turn affected  22 Texas municipalities at once. This type of widespread attack can certainly put a lot of pressure on the MSP to pay the ransom.

CF: Are there any similarities between the compromised MSPs?

RS: The list of other victim MSPs is diverse, with some connected perhaps by their impact on professional groups such as attorneys, real estate agents and accountants:

  • CorVel, which offers health care management services in support of worker’s compensation, auto, liability, disability insurance and group health.

  • Apex Human Capital, which offers payroll, human resources.

  • iNSYNQ, which provides QuickBooks accounting services for accounting firms.

  • TSM Consulting, which offers software and IT services for the public safety sector including law enforcement.

  • MetroList, which offers computer and multilisting services for 20,000 California real estate agents.

  • TrialWorks, which offers case management software and cloud backup for attorneys

CF: How are these MSPs being impacted by ransomware? Have they suffered damage? If so, how?

RS: In the case of PM Consultants, it has unfortunately shuttered their business. In the case of PerCSoft , it appears from various news sources and online posts that they…

…paid the ransom, although the company has not stated this on the record. In the case of MetroList, a ransom was definitely paid, and MetroList paid a $10,000 deductible. In cases this year where insurance deductibles of $10,000 have been paid, such as by Lake City, Florida, LaPorte County and Rockville Center School District, the ransom demands have been reported in the six figures. None of the MSP victims have disclosed their ransom demands.

The damage to the reputations of these MSPs, and the loss of business during or after the attacks is difficult to quantify. According to research by Datto, the average cost this year of downtime from a ransomware attack has risen 200% to $141,000.

CF: Do these attacks represent challenges/opportunities for MSSPs and other cybersecurity providers? How can they help protect these organizations?

RS: The ransomware attacks against the MSPs present an opportunity for MSSPs and MSPs to form partnerships whereby the MSPs gain access to  proven, comprehensive and business-enabling cybersecurity services at an affordable price. And of course, providing these security services to the MSPs can open a whole new line of business for the MSSP, so a partnership benefits both provider groups. One might wonder why are so many MSPs becoming victims of ransomware. It is the same reason so many organizations are being hacked. Security is hard. Once unauthorized access is gained to a system, all it takes is executing a malicious binary to start encrypting an organization’s files. Ransomware isn’t the tool of compromise, it’s the product; it’s a symptom.

Cybersecurity is all MSSPs do. This is their total focus, and because they are continually tracking and researching the current and emerging cyber threats, they know how to detect, respond and contain the malicious threats in real-time. Partnering with an MSSP or cybersecurity solution provider will give the MSP the peace of mind knowing that their and their customers’ data is protected 24/7/365, enabling the MSP to focus on the business they do best, their core business.

CF: Are we likely to see more MSPs compromised?

RS: Infecting an MSP with ransomware can negatively affect many of their customers and all at once, thus putting a lot of pressure on the MSP to pay the ransom, which several have. This signals to the cybercriminals that compromising MSPs can be very lucrative. With this being the case, we have no doubt that we will see more MSP victims. Hopefully, however, these attacks will be a wake-up call to MSPs that they must make cybersecurity a top priority, it cannot be an afterthought. They must implement cybersecurity protections which are comprehensive and which are continually evolving so as to protect their company and their…

…customers’ informational assets.

Armor offers the following ransomware protection tips for MSPs:

  • Offline data backups – users must have multiple backups of their critical data, applications and application platforms.

  • A white listing solution limits the use of applications and processes that are allowed to run in your environment by providing a short list of approved applications and processes.

  • File integrity monitoring, which monitors your IT environment 24x7x365 for changes to critical OS, files and processes such as directories, registry keys and values.

  • Practice least privilege access control to ensure the user has the least privilege for their job.

  • Audit/penetration testing from independent, third-party experts to ensure that you are implementing best practices.

  • IP reputation monitoring/blocking to block known bad infrastructure and actors.

  • Continuous security awareness training that should actively engage employees and include policies concerning the correct response to suspected phishing attempts.

  • Endpoint protection, including protection, detection and response capabilities for laptops, workstations and mobile devices.

McAfee: Phishing Campaign Targeting Office 365 Users

During the past few weeks, McAfee Labs has been observing a new phishing campaign using a fake voicemail message to lure victims into entering their Office 365 email credentials.

McAfee found three different malicious kits and evidence of several high-profile companies being targeted. The attack begins when the victim receives an email informing them that they have missed a phone call, along with a request to log in to their account to access their voicemail.

The goal of malicious actors is to harvest as many credentials as possible, to gain access to potentially sensitive information and open the possibility of impersonation of staff, which could be very damaging to the company, according to McAfee. The entered credentials also could be used to access other services if the victim uses the same password, and this could leave them open to a wider of range targeted attacks.


McAfee’s Oliver Devane

Oliver Devane, senior security researcher at McAfee, tells us this campaign is a reminder that phishing attacks are a very common method used by bad actors.

“The challenge is the victim is generally unassuming; the more education organizations can provide their employees to help them identify these types of malicious emails, the closer they will be to defeating them,” he said.

What sets this phishing campaign apart from others is the fact that it incorporates audio to create a sense of urgency which, in turn, prompts victims to access the malicious link. This gives the attacker the upper hand in the social engineering side of this campaign, according to McAfee.

Businesses should enable multifactor authentication (MFA) and ask their staff to not use the same password across multiple services, Devane said. They should also offer training to their staff so they can spot these types of phishing emails.

When possible for enterprise customers, McAfee recommends blocking .html and .htm attachments at the email gateway level so this kind of attack will not reach the final user.

“We observe phishing campaigns regularly and don’t expect them to stop,” Devane said. “The vulnerability at play here is the target/victim. If they do not open the attachment the phishing emails will not work.”

Secureworks, Microsoft Team Up for Improved Detection

Secureworks has initiated a new partnership with Microsoft aimed at improving the detection of advanced cyberattacks across endpoints, networks, cloud and business systems. Secureworks said…

…this is the next step in its transformation from a pure-play MSSP into a cloud-based cybersecurity software provider.

Secureworks’ SaaS application, Red Cloak threat detection and response (TDR), will ingest raw telemetry from the Microsoft Defender advanced threat protection (ATP) platform, further enhancing the data that fuels Red Cloak advanced analytics. Microsoft Defender ATP customers, in turn, will benefit from a wider threat vector lens because of Secureworks’ threat intelligence, enhanced by the company’s visibility across a wide variety of endpoint, network, cloud and business systems in thousands of customer environments globally.


Secureworks’ Chris Bell

Chris Bell, Secureworks’ director of product management and alliances, tells us this new solution will allow Secureworks partners to sell Red Cloak TDR and managed detection and response (MDR) powered by Red Cloak to end customers who have deployed Microsoft Defender ATP.

“The deployment is seamless for partners because it doesn’t require another endpoint agent to get the benefits of TDR or MDR,” he said. “This integration provides market-leading threat intelligence from Secureworks and Microsoft. Customers and partners of Microsoft will benefit from our integration with Red Cloak TDR and Microsoft Defender ATP by the following value points: detecting advanced threats; reducing the noise by trusting alerts from Red Cloak TDR and Microsoft Defender ATP; streamlining and collaborating on investigations; [and] automating the right action leveraging Microsoft’s response and containment APIs.”

Exabeam Expands to Latin America via Westcon-Comstor

Exabeam and Westcon-Comstor Americas have signed a distribution agreement to accelerate Exabeam’s business growth in the Latin America (LATAM) region.

Through this partnership, the Westcon network will execute Exabeam’s go-to-market strategy for LATAM, and provide transaction and operations support, allowing existing channel partners to increase Exabeam sales. Additionally, Westcon will recruit and train channel partners to ensure Exabeam’s growth in new markets throughout the region.

Exabeam and Westcon’s mutual channel partners distribute the Exabeam Security Management Platform (SMP) for security information and event management (SIEM) and machine learning (ML)-powered user and entity behavior analytics (UEBA). This allows enterprises seeking security intelligence to more rapidly and efficiently detect, investigate and respond to cyberattacks, according to Exabeam.

With this agreement, security-focused resellers in every Latin American country can now offer and sell Exabeam to their customers.

Ken Hammond, Exabeam’s area vice president of Americas and APJ channels, tells us his company’s partners will be able to “move more quickly to serve their large customers who are seeking the very best in security management.”

“In addition, many of these LATAM customers have locations across LATAM with specific evaluation and security needs,” he said. “Westcon is well-placed to provide credit, local pricing and delivery across LATAM. Exabeam has been very successful in Mexico, but this announcement will accelerate our growth across LATAM. Exabeam, due to customer demand and rapid sales growth, is investing in sales and tech resources in SLED, APJ, EMEA and with its broad group of technology alliance partnerships.”

Read more about:


About the Author(s)

Edward Gately

Senior News Editor, Channel Futures

As news editor, Edward Gately covers cybersecurity, new channel programs and program changes, M&A and other IT channel trends. Prior to Informa, he spent 26 years as a newspaper journalist in Texas, Louisiana and Arizona.

Free Newsletters for the Channel
Register for Your Free Newsletter Now

You May Also Like