Ransomware and MSP Lockout
Recent attacks on MSPs have highlighted RMM vulnerabilities, reinforcing the need for a security-centric approach in MSPs foundational practices.
April 10, 2019
Sponsored by Barracuda MSP
As a managed services provider (MSP), you want to ensure that your clients’ networks, servers, data, and applications remain secure. You don’t want to overlook any gaps in their cybersecurity defenses that could leave them vulnerable to a data breach or other type of attack.
To that end, MSPs need to ensure that their own systems and applications aren’t creating vulnerabilities. We know that groups of cybercriminals are now specifically targeting MSPs: The Cybersecurity and Infrastructure Security Agency (CISA) has issued warnings to MSPs about these attacks and conducted additional briefings in February about malicious activity in China that targeted MSPs.
Last year, an MSP in California was locked out of its systems by a ransomware attack and was forced to shut down its network. In turn, the company’s clients lost access to their email and databases. What could be worse?
Well, an MSP could fail to patch a remote monitoring and management (RMM) system, enabling a ransomware attack that encrypts all of its customers’ endpoint systems. According to several reports, that’s what happened to a U.S.-based MSP in February. An RMM vulnerability resulted in approximately 2,000 client systems being crypto locked, and the attacker made a $2.6 million ransom demand to the MSP.
This is the type of attack that should make any MSP’s blood run cold — it’s what has been described online as an “extinction-level event” for a service provider. Even if the MSP successfully restores all of those client systems, how could those relationships or that business ever really recover?
And the worst part is, this could have been prevented. In the case of the California incident, the underlying issue was a known vulnerability in a ConnectWise plugin used in the Kaseya VSA RMM tool. It’s a problem that was identified several years ago, and a patch was available. It just wasn’t implemented or was improperly installed. The attacker was able to access the RMM database as if he or she was an MSP administrator.
The problem was not isolated, either: Kaseya announced in February that it had identified 126 customers that were potentially at risk because of the same issue. At least four MSPs reportedly had all of their client endpoints encrypted with the GandCrab ransomware as a result.
The costs will be high, both in terms of ransom payments and in clean up (which can be as much as ten times more expensive than the ransom). Then there’s the cost to the client in lost business and the damage to the reputation of the MSP.
Why a Security-Centric Approach to RMM is Vital
A more security-centric approach to RMM can help MSPs prevent these kinds of disasters and keep their internal systems and their customers’ data access secure. Barracuda recently acquired Managed Workplace, an RMM tool that provides features like built-in site security assessments that allow MSPs to rapidly assess customers’ anti-virus, patch, passwords, user configurations, and network security levels. With this tool, MSPs can monitor devices, websites, applications, and security settings, and receive alerts when immediate corrective actions are required.
Avoiding the types of ransomware attacks described above requires more than just a better RMM tool. MSPs have to ensure they are using multi-factor authentication, restricting administrative privileges, backing up data daily, and keeping OS and application patches up to date.
Just as important, they need to have a frank discussion with their RMM and other application providers about their password, authentication and administrative privilege practices–and perform due diligence when it comes to known or emerging vulnerabilities.
While no cybersecurity defenses can guarantee 100 percent protection, leveraging a security-centric RMM and instituting strong internal security practices can give MSPs much better odds of avoiding unnecessary catastrophe.
Chris Crellin is Senior Director of Product Management for Barracuda MSP, a provider of security and data protection solutions for managed services providers, where he is responsible for leading product strategy and management.
This guest blog is part of a Channel Futures sponsorship.
Read more about:
MSPsAbout the Author
You May Also Like