I’ve been reading the 2021 MSP Threat Report from Perch (a ConnectWise company). It has a great review of the evolving threats to MSPs and their customers from ransomware attackers this last year. What I like about this report that it puts a number of relevant factors into perspective. Why are MSPs a target? What do the attacks look like? Who are some of the groups that are behind these attacks? What do they want (doh)? How are MSPs responding, and how effective are these responses? And, of course, what should MSPs be doing to counter the ransomware threats.
You can find the report here:
Here are a few of the take-aways that I found interesting:
MSPs represent a valuable target. Why is that? Well, it turns out that MSPs are the gateway to a lot of end customers. They call this the “Buffalo Jump”. If an attacker can compromise an MSP they can get downstream access to all of the MSP’s customers. Based on some industry averages Perch estimates that an MSP an its customers represent a $2 BILLION opportunity. Yeah, that’s Billion with a “B”. The attacker expects to collect a ransom payment from the MSP and from each of the MSP’s end customers. The financial incentives to attack and MSP are huge.
As we know from recent experience the MSPs who have been attacked were surprised by the event. In many cases the MSP systems were not compromised, but the software they used to manage their business became the path to the compromise. A so-called “supply chain” attack. However, the supply chain attack does not cover all of the MSPs who encountered problems – many experienced routine phishing attacks and credential compromises. But the multiplier effects of the supply chain attacks stretched the resources of many MSPs.
The characteristics of a ransomware attack are pretty well known now. The common sequence of events of a ransomware attack are:
- Infiltration – access to the MSP and their end customer.
- Planting malware on breached systems.
- Exfiltration – steal copies of the data to the attacker’s server
- Poisonous Encryption – deny you access to your data and systems using a secret key.
- Extort the ransom – usually through cryptocurrency payments.
- Release of the hostage – decryption of your hostage data (if you are lucky).
While theft of data is common in traditional data breaches, the Exfiltration step is relatively new in ransomware attacks, and this is where many ransomware defenses fail. The MSP and the end customer may be able to restore systems from backups, but that won’t stop the extortion attempt. The ransomware attacker now has your sensitive data and threatens to release publicly it if the ransom payment is not made. The release of sensitive information can be devastating to MSPs and to their end customers. The threat is real and substantial. You need a backup and restore strategy, but it won’t protect you from the threat of the release of sensitive data.
What can you do?
The Perch Threat Report does not discuss this, but you do have tools to protect against Exfiltration. You have the ability to encrypt your data before the attacker with your own secret key. And that is what I call “Defensive Encryption”. You must encrypt your sensitive data first. The attacker can’t use the Exfiltrated data against you if they can’t read it. This is where encryption becomes you friend. Defensive Encryption renders Exfiltration useless by denying the attacker the ability to extort the MSP and the end customer. You still have to restore from backup, but you are in a much stronger position to defeat the extortion attempt.
There is a lot to like about the 2021 Perch Threat Report. It is concise but at the same time covers a lot of ground. I think this is an excellent report to share with upper management in your company. If you are an MSP you can share this with your end customers to help get them motivated.
If you want to move forward with Defensive Encryption we have a solution you are going to love. Proper encryption key management is crucial to an encryption defense, but MSPs can be put off by the cost of key management systems. We’ve solved that problem. More here: