What do Colonial Pipeline, JBS, and most recently, Kaseya VSA all have in common? They all fell victim to elaborate ransomware attacks; however, this does not mean attackers only go after big fish. While many of the attacks that make the news are on multi-million dollar companies, it does not mean SMBs are off the hook.
Ransomware is a type of malware that accesses and encrypts the files on a system. The hackers who plant the ransomware then demand a exorbitant ransom in order to hand over the decryption key. Victims of ransomware attacks have limited options when it comes to accessing encrypted files. They can either pay the ransom to the criminals or use previous backups to restore files.
Most ransomware infections start when someone within the organization clicks an attachment or downloads a malicious file planted by a ransomware actor. The attachment or file is engineered to look innocent and evade the risk of being marked suspicious. Sometimes visiting an infected website can also result in the malware getting installed on your system, without anyone even noticing it. The malicious software then spreads and encrypts files on the system.
More sophisticated ransomware campaigns involve gaining access to an organization’s system using phishing techniques, exploiting network vulnerabilities or cracked passwords. Spam or phishing emails contribute to 67% of ransomware attacks in North America.
After entering the system, the hackers will secretly keep exploring the network until they get the desired control, and eventually, encrypt everything on the system. Without appropriate security steps in place, ransomware may go unnoticed for days or weeks until the attacker finally decides to lock the system and make a ransom demand. Between the time period from a ransomware first infecting a system and the attacker locking the system, hackers could have stolen and transferred tens or hundreds of GB (gigabytes) of data to their system.
For the most part, ransomware encrypts the files and prevents access to any data or a part of the data stored on the system. Many advanced malicious software are equipped with capabilities to work in the background and terminate software that may interrupt the encryption process. This can cause a system to get fully infected, and if it does, ransomware can do anything with large amounts of data it has access to. The ransomware can delete or modify backups, read client information, access passwords, or release the files into the public domain. Speaking in broad terms, ransomware has the potential to make your organization dysfunctional, unless backups are readily available to restore.
The attackers demand a ransom in exchange for a decryption key. However, there is no guarantee that paying the money will restore your files. There have been several cases where even after paying a ransom, the hackers have not handed over the files. Ransomware can cause a large monetary loss to your organization, either by way of ransom or disruption in business activities. This makes preventing a ransomware attack crucial.
No SMB would ever want this to happen to them. So the question is, how do we prevent and protect ourselves from attacks?
The answer lies in the services that MSPs provide. MSPs provide complete IT solutions to organizations and will look into reinforcing security, performing backups, and conducting training to keep businesses protected.
MSPs (Managed Services Providers) should perform critical network security activities like installing antivirus programs, firewalls, and keeping security and operating system programs updated. Developers continuously release updates to extend protection from emerging malware. MSPs monitor SMB networks 24×7 and can identify anomalies quickly if they have the proper tools and people in place. When they detect an infection, they can quickly isolate the computers, limiting the spread of damage.
They can also automate patch management, where the software gets updated automatically after a bug has been identified and the solution published. This improves the security of critical IT infrastructure and data.
While backing up files will not necessarily prevent attacks, it can minimize the damage that potential ransomware can cause. MSPs perform periodical backups of files and store them in the cloud, and also keep offline copies, thereby creating multiple backups. A backup of important files will make sure a business can restore them should the organization be faced with ransomware. This reduces downtime and minimizes potential losses.
Social-engineering techniques are a common way to cause damage, and most attacks are a consequence of unintentional employee actions. Many times, ransomware actors send emails talking about freebies and rewards because these are ways to motivate readers to perform an action.
MSPs can organize security awareness sessions for employees to make them aware of possible phishing emails. This reduces the probability of employees opening an email that lures them for incentives or rewards, subsequently reducing the possibility of ransomware entering the system.
In addition to protecting client systems and data, MSPs also need to secure the very infrastructure they use to serve the clients. The ransomware attack on Kaseya is a terrifying example of why this needs to be a top priority for MSPs. Recently, affiliates of the infamous REvil ransomware group used a vulnerability in Kaseya’s Virtual System Administrator (VSA) tool, software that MSPs depend on, and extracted SMB customer data.
The hackers sent out emails to MSP customers of Kaseya and urged them to install a software patch, stating it will give protection to the systems from ransomware. Unfortunately, the email included ransomware that encrypted files on their system. The REvil group has placed a ransom demand of $70 million to give back customer data.
The Kaseya ransomware attack should invigorate MSPs to invest in building a resilient security infrastructure. As a matter of fact, Kaseya was warned about the vulnerability, back in April. If they would have found a workaround, the attack could have been averted. Identifying emerging ransomware and taking proactive measures, like automatic patch management, implementing strong defenses, web filtering and isolation methods, could have made all the difference. It is crucial for MSPs to protect themselves in order to be able to protect their clients.
