Arpad Nagy-Bagoly - stock.adobe.

Ransomware and the danger of MSP lock-out

Recent attacks on managed service providers have highlighted remote monitoring and management vulnerabilities, reinforcing the need for a security-centric approach in MSPs’ foundational practices

As a managed services provider (MSP), you want to ensure that your clients’ networks, servers, data and applications remain secure. You don’t want to overlook any gaps in their cyber security defences that could leave them vulnerable to a data breach or other type of attack.

To that end, MSPs need to ensure that their own systems and applications aren’t creating vulnerabilities. We know that groups of cyber criminals are now specifically targeting MSPs. The Cybersecurity and Infrastructure Security Agency (CISA) has issued warnings to MSPs about these attacks, and conducted additional briefings in February about malicious activity in China that targeted MSPs. 

In 2018, an MSP in California was locked out of its systems by a ransomware attack and was forced to shut down its network. In turn, the company’s clients lost access to their email and databases. What could be worse?

Well, an MSP could fail to patch a remote monitoring and management (RMM) system, enabling a ransomware attack that encrypts all of its customers’ endpoint systems. According to several reports, that’s what happened to a US-based MSP in February. An RMM vulnerability resulted in approximately 2,000 client systems being crypto-locked, and the attacker made a $2.6m ransom demand to the MSP.

This is the type of attack that should make any MSP’s blood run cold – it’s what has been described online as an “extinction-level event” for a service provider. Even if the MSP successfully restores all of those client systems, how could those relationships or that business ever really recover?

And the worst part is, this could have been prevented. In the case of the California incident, the underlying issue was a known vulnerability in a ConnectWise plugin used in the Kaseya VSA RMM tool. It’s a problem that was identified several years ago, and a patch was available. It just wasn’t implemented or was improperly installed. The attacker was able to access the RMM database as if he or she were an MSP administrator.

The problem was not isolated, either. Kaseya announced in February that it had identified 126 customers that were potentially at risk because of the same issue. At least four MSPs reportedly had all of their client endpoints encrypted with the GandCrab ransomware as a result.

“Avoiding ransomware attacks requires more than just a better RMM tool. MSPs have to ensure they are using multifactor authentication, restricting administrative privileges, backing up data daily and keeping operating system and application patches up to date”
Jason Howells, Barracuda MSP

The costs will be high, both in terms of ransom payments and in clean-up (which can be as much as 10 times more expensive than the ransom). Then there’s the cost to the client in lost business and the damage to the reputation of the MSP.

Why a security-centric approach to RMM is vital

A more security-centric approach to remote monitoring and management can help MSPs prevent these kinds of disasters and keep their internal systems and their customers’ data access secure.

Barracuda recently acquired Managed Workplace, an RMM tool that provides features such as built-in site security assessments that allow MSPs to rapidly assess customers’ antivirus, patch, passwords, user configurations and network security levels. With this tool, MSPs can monitor devices, websites, applications and security settings, and receive alerts when immediate corrective actions are required.

Avoiding the types of ransomware attacks described above requires more than just a better RMM tool. MSPs have to ensure they are using multifactor authentication, restricting administrative privileges, backing up data daily and keeping operating system and application patches up to date.

Just as important, they need to have a frank discussion with their RMM and other application providers about their password, authentication and administrative privilege practices – and perform due diligence when it comes to known or emerging vulnerabilities.

While no cyber security defences can guarantee 100% protection, leveraging a security-centric RMM and instituting strong internal security practices can give MSPs much better odds of avoiding unnecessary catastrophe.

Next Steps

MSP software vendors respond to growing threats

Read more on Managed IT Services

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.