Ransomware and MSP Lockout
As a managed services provider (MSP), you want to ensure that your clients’ networks, servers, data, and applications remain secure. You don’t want to overlook any gaps in their cybersecurity defenses that could leave them vulnerable to a data breach or other type of attack.
To that end, MSPs need to ensure that their own systems and applications aren’t creating vulnerabilities. We know that groups of cybercriminals are now specifically targeting MSPs: The Cybersecurity and Infrastructure Security Agency (CISA) has issued warnings to MSPs about these attacks and conducted additional briefings in February about malicious activity in China that targeted MSPs.
Last year, an MSP in California was locked out of its systems by a ransomware attack and was forced to shut down its network. In turn, the company’s clients lost access to their email and databases. What could be worse?
Well, an MSP could fail to patch a remote monitoring and management (RMM) system, enabling a ransomware attack that encrypts all of its customers’ endpoint systems. According to several reports, that’s what happened to a U.S.-based MSP in February. An RMM vulnerability resulted in approximately 2,000 client systems being crypto locked, and the attacker made a $2.6 million ransom demand to the MSP.
This is the type of attack that should make any MSP’s blood run cold — it’s what has been described online as an “extinction-level event” for a service provider. Even if the MSP successfully restores all of those client systems, how could those relationships or that business ever really recover?
And the worst part is, this could have been prevented. In the case of the California incident, the underlying issue was a known vulnerability in a ConnectWise plugin used in the Kaseya VSA RMM tool. It’s a problem that was identified several years ago, and a patch was available. It just wasn’t implemented or was improperly installed. The attacker was able to access the RMM database as if he or she was an MSP administrator.
The problem was not isolated, either: Kaseya announced in February that it had identified 126 customers that were potentially at risk because of the same issue. At least four MSPs reportedly had all of their client endpoints encrypted with the GandCrab ransomware as a result.
The costs will be high, both in terms of ransom payments and in clean up (which can be as much as ten times more expensive than the ransom). Then there’s the cost to the client in lost business and the damage to the reputation of the MSP.