In the beginning, ransomware attacks focused on quantity over quality. Ransomware, like WannaCry was designed to hit as many targets as possible and to ask a relatively small ransom from each. While this tactic could be effective, it was often more trouble than it was worth since the average person had no idea how to pay the ransom and had to be coached through the entire process.
As a result, many ransomware attackers are now focusing on high-value, targeted attacks. Instead of trying to extort a small ransom out of many victims, they select an organization with more resources and ask a much higher sum per attack. For example, the Ryuk ransomware attack against the city of New Bedford, Massachusetts carried a demand of $5.3 million in Bitcoin. However, in that case, the city chose to reject the ransom and restored systems from backups.
The new, more targeted type of ransomware attack often makes it more dangerous. While, in the past, attackers mainly leveraged vulnerabilities like EternalBlue, which made WannaCry so effective, modern ransomware attackers have the leisure to craft attacks and spear phishing emails that are more targeted toward their intended victims.
Why hackers are now targeting MSP’s
Managed service providers (MSPs) have a great deal of access and control over their customers’ networks. By partnering with an MSP, an organization outsources some core business functions to their provider and needs to provide their MSP with the access necessary to do their job.
As a result, MSPs are an ideal target for cybercriminals. A hacker that manages to compromise an MSPs also has the potential to use this access as an entry point into the networks of that MSP’s customers. This access can allow the attacker to steal data from the MSP’s customers or install malware on their network.
One of the most common ways that cybercriminals capitalize upon successful exploitation of an MSP is by using it to install ransomware. 80% of MSP's acknowledge that their organization has been targeted by attackers pushing ransomware. Once they have access to the MSP’s network, these attackers leverage tools commonly used by MSPs, like the remote desktop protocol (RDP) and MSP management consoles, to steal privileged credentials for customer networks that are used to install ransomware.
What does this mean for businesses who have an MSP?
Unfortunately, having an MSP is not preventing businesses from experiencing ransomware attacks. While the modern ransomware attack is more targeted (to improve probability of success), compromising a single MSP provides the attacker with access to a variety of different targets. While the customers of a certain MSP may not match the normal profile of a modern ransomware target (an organization with a large amount of financial resources and often poor security), the ease of pushing ransomware to an MSP’s customer after exploiting the MSP makes it easy for an attacker to turn a profit.
Attackers targeting MSPs are typically taking advantage of vulnerabilities in the MSP’s network and their level of access on their customers’ networks. Protecting against ransomware attacks that take advantage of the MSP-customer relationship requires minimizing the ability of an attacker to take advantage of these vulnerabilities.
The first step in doing so is to limit the impact of a compromised MSP on the organization’s network. An MSP only needs the access and permissions necessary to perform their job role. However, 72% of organizations give third parties administrator access on their internal networks. Performing an account audit and minimizing permissions to those absolutely necessary decreases an organization’s vulnerability to attack. Enforcing multi-factor authentication.
Why an MSP is not enough
Organizations who use an MSP are potentially vulnerable to ransomware attacks via their MSP. A large part of this vulnerability arises from the details of the relationship that the organization has with their service provider. The job of an MSP is to ensure that an organization’s IT systems are functional, not that they are secure.
The difference between these two jobs is significant. With a managed security services provider (MSSP), the service provider has a clear incentive to secure both their network and that of their clients’ against attack.
The lack of focus on security means that an MSP may make choices that prioritize other business needs at the expense of security. In this end, this only hurts the customer, especially if an attacker uses the MSP to spread ransomware.