Everything MSPs and MSSPs Need to Know about Ransomware

The 30^th anniversary of ransomware is coming up in December, and it’s safe to say ransomware has come a long way from the first 1989 attack that was spread by floppy disks delivered via snail mail.

The modern era of ransomware really began in 2013 with CryptoLocker, which was the first ransomware to spread through compromised websites and emails. Ransomware has continued evolving since then, up until targeted large-scale attacks like SamSam and Ryuk became common in 2018. This year, as we found in our 2020 Threat Report, we’ve seen attackers raise the stakes even more by changing or adding traits to confuse anti-ransomware protection.

Ransomware attacks are increasingly aggressive and devastating, and MSPs and MSSPs need to understand the ways in which they themselves are at risk. Cybercriminals are infecting MSPs and MSSPs with the goal of reaching their customers’ systems in turn. Responding to an attack is costly, whether you’re spending time finding ways to decrypt files yourself or shelling out money for a ransom. Either way, ransomware attacks can result in lost business productivity and potentially business-threatening downtime, and there’s more MSPs and MSSPs could be doing to guard against these threats.

Let’s take a closer look at today’s ransomware landscape and how MSPs and MSSPs can help organizations stay protected.

How Ransomware Attacks Start

There are a few common techniques used among attackers, including three ways ransomware attacks tend to start. Attackers might send malicious phishing emails that look legitimate, but are designed to get the target to open or download an attachment. By opening those attachments, ranging from Word documents with macros to JavaScript files disguised as .txt files, victims unwittingly install the ransomware on their systems.

Another common way to get infected is through poisoned websites–legitimate websites that have been infected with an exploit kit. Users might hover over an ad or click on something that looks innocent. In some cases, just visiting the page is enough to accidentally install ransomware on the computer and run it.

A third technique, often used to infiltrate MSP and MSSP networks, involves exploiting Remote Desktop Protocol (RDP) and other remote access holes. Each computer running RDP is a potential gateway into an organization’s internal network–and they’re often protected by nothing more than a username and password. Attackers have found great success guessing individual passwords, sometimes by brute force, to gain access to corporate networks and conduct ransomware attacks.

How Ransomware Attacks Unfold

After the initial exposure, there are two ways ransomware attacks typically unfold: what we call “fire and forget,” or targeted ransomware.

Fire and forget attacks aim for a high volume of smaller ransoms. Cybercriminals launch an attack aimed at a number of organizations, and they use automated techniques to try to infect as many computers as possible. Here’s how this might play out: After using a malicious email or compromised website to gain entry, attackers download ransomware that encrypts files and deliver a ransom note demanding payment to decrypt those files.

Targeted ransomware, on the other hand, focuses on one victim at a time, but demands much higher ransom fees. These manual attacks tend to gain access to a network through RDP or malware. They then move laterally through the network, escalating their privileges to administrator, spreading ransomware that encrypts files, and ultimately demanding a ransom.

How to Stay Protected

It should come as no surprise that ransomware attacks can be incredibly costly for MSPs and MSSPs. In fact, an MSP recently paid $150,000 to hackers to recover data after a ransomware attack that spread out to their end-customer systems. Trying to avoid downtime and data loss requires a proactive approach with advanced protection at every stage of an attack, from network protection to securing endpoints.

Having effective security products isn’t all it takes, however. Educating employees about ransomware and the phishing techniques commonly used to launch attacks can help stem attacks at their access point. For MSPs and MSSPs, this means both educating your employees and providing resources for customer education.

To that end, here are a few security best practices to keep in mind.

• Always be cautious about unsolicited email attachments, and don’t enable macros in attachments received via email. Open JavaScript (.JS) files in Notepad so you can scan the file contents for malicious code first.
• Enable two-factor authentication.
• Either implement Tamper Protection or lower user privileges from Admin on the local PC, to prevent the uninstallation of security services.
• Apply patches early and often.
• Use strong passwords and change them often. And as always, backup regularly and keep a backup file off-line and off-site.

Scott Barlow is VP Global MSP, Sophos.

This guest blog is part of a Channel Futures sponsorship.