How MSP-Managed Endpoints Can Deal With Ransomware

Training is the most important tool in battling ransomware.

February 19, 2019

6 Min Read
Endpoint Security

By Derek Handova

How can an MSP provide critical cyber and cloud security that will satisfy IT pros and end users while effectively thwarting ransomware? This article will lay out critical endpoint security trends in the market and illustrate how MSP-managed endpoints can deal with ransomware and provide insight into the state of ransomware in the channel.


CipherTechs’ Eric Dowsland

The common denominator among ransomware experts in dealing with this scourge at the endpoint seems to focus on increasing the level of training of enterprise personnel. The untrained worker poses the most likely point of entry for ransomware at the endpoint, according to informed cybersecurity experts.

“In our experience, the leading cause of ransomware infection is due to the uneducated employee,” says Eric Dowsland, CISSP and director of managed security services, CipherTechs, which delivers security solutions for businesses. “Without strong cybersecurity awareness, your employees won’t have the skills to identify phishing emails and spoofed websites, which host the compromised malware which cause this attack.”

And with ransomware essentially taking control of an end user’s machine by encrypting everything on it, that makes it nearly impossible for the machine to be used and any data on the device is held hostage until the ransom is paid. But where does ransomware come from? The majority is from users clicking malicious links or downloads, according to C-level infosec experts. But the number of drive-by attacks – or drive-by downloads – where the employee accesses a website that installs malware without her knowledge has been cut drastically with modern security improvements.


Clear Guidance Partners’ Dustin Bolander

“So now ransomware is revolving heavily around user interaction,” says Dustin Bolander, CIO, Clear Guidance Partners, provider of fractional CIO services and managed IT. “A lot of it comes in via email, whether as attachments or as a link to a site that prompts a download.”

In his opinion, user training is the No. 1 way to combat ransomware, by putting a valid sense of fear into people so they think before they click. But that’s only the first part; IT also needs to be very responsive when users call and ask if an emailed invoice is legitimate or not. “If they’re having to wait hours to find out, that decreases the likelihood that they will check in next time, defeating the purpose,” Bolander says.

Biggest Ransomware Challenges at the Endpoint


Malwarebytes Labs’ Adam Kujawa

Ransomware and malware are constantly evolving and being modified by their creators to do a better job at attacking users as well as avoiding detection from security software. So how can MSP-managed endpoints deal with ransomware where one of the biggest challenges is keeping up with that cat-and-mouse game, when one side develops new tech, the other gets around it, then the first patch and so on?

“We’ve seen so many ransomware families over the years – especially ones that encrypt files – show up out of nowhere and cause significant problems,” says Adam Kujawa, director of Malwarebytes Labs at Malwarebytes. “It’s most important to identify ransomware-like processes and kill them instead of trying to hunt and identify specific ransomware families.”

But also keep in mind that the motivation for ransomware is predominantly – if not exclusively – financial in nature. The goal is to …

… extort money from the intended victim and successfully collect the ill-gotten gains after they have been sent.


Bryan School’s Nir Kshetri

“In traditional ransomware, it is easy to steal the victim’s money, but bringing the money to the criminals is the most difficult part,” says Nir Kshetri, Ph.D. and professor at Bryan School of Business and Economics, University of North Carolina at Greensboro. “Some international cybercriminals send it to people in the victims’ country. Or they recruit money mules to launder funds. Mules help move stolen money from one account to another. But the criminals engage in a risky strategy with low success. Ransomware solves many of these problems.”

The main cause of ransomware is bad guys who would rather hold files and systems for ransom than trying to steal information and resell it, according to Kujawa.

Defenses Against Ransomware at the Endpoint

Layered security is always the best defense against ransomware, according to security experts, especially if those layers are augmented by AI and machine learning to accurately detect and stop the newest ransomware samples from reaching and executing on employee machines.

“Email attachments are a common attack vector for infecting organizations by deploying fileless malware or scripts into tainted attachments,” says Liviu Arsene, global cybersecurity analyst at Bitdefender, an IT security software vendor. “Having a security solution that’s able to strip those attachments before they reach the employee and detonate them in a controlled environment is an ideal solution.”

Some ransomware samples may be delivered via unknown, or known but unpatched, exploits – such as could occur with open source – which is why it’s important for the security solution to have anti-exploit technologies along with patch management capabilities to ensure timely deployment of the latest security updates.

And while, typically, the most popular infection vector would be a phishing email, more often remote desktop protocol (RDP) is becoming an entry vector for targeted attacks on organizations, according to security experts. That heightens the importance of a tested backup/disaster recovery strategy.


Fidelis’ Tom Clare

“I had a call with a company hit by ransomware, and none of the backups worked and they did not have any security software in their environment,” says Raj Samani, chief scientist and McAfee fellow. “Good cyber hygiene is essential, but unfortunately many organizations neglect basic measures. For example, having a backup regime for data is imperative but testing and validating that good backups have been conducted is also important. Up-to-date security technologies and cyber awareness across the organization is imperative. Business losses can be significant if normal operations are not resumed in a timely manner.”

And the challenge to get organizations back up and running based on how MSP-managed endpoints deal with ransomware will get more difficult this year. For example, Osterman Research predicts that after a “soft” year for ransomware in 2018, this species of malware will make a comeback in 2019.

Overall, MSPs need to view ransomware with a holistic approach to security because not every system can be patched and many cannot have a security agent, which is often the case with embedded operating systems in non-standard devices, according to security solution specialists. “MSPs should be advising customers on network segmentation, stronger access and credentials controls, network traffic analysis, and deception to defend these systems against ransomware,”  says Tom Clare, senior product manager, Fidelis Cybersecurity.

Read more about:

Free Newsletters for the Channel
Register for Your Free Newsletter Now

You May Also Like