Victims’ Experiences Likely Vary in Aftermath

Victim organizations’ experiences likely vary depending on how good their business continuity and disaster recovery planning is for themselves and their customers, said WatchGuard Technologies‘ Corey Nachreiner.

“In either case, even the better-prepared ones will likely have a busy week,” he said. “In short, the MSPs really hit by this would return to computers in their own infrastructure with ransom messages. They wouldn’t be able to complete the tasks they use those devices for if the data involved with that work was encrypted. As they are dealing with and learning of their own device and data issues, they would also start to get calls from customers whose IT they manage who are finding themselves in the same situation.”

MSPs have to balance running their own investigation and remediation while also managing their customers, Nachriener said.

“This is a security incident, which means most mature companies would want to run a formal investigation,” he said. “That starts with getting your legal counsel involved, gathering tons of evidence following the right practices and documenting everything. This is what you have to do before you even start recovering or you risk destroying evidence. So the MSP has to consider doing that for their own organization, but will also have customers in the same situation. In short, even if you are prepared for it, this is not a cakewalk. Some will be able to recover quicker than others, since they had the right plan in place beforehand. But even then, it can be time consuming.”