Beazley breach insights - Ransomware incidents jump in Q3 MSPs and their small business clients are targeted
Targeting of IT vendors by cybercriminals contributed to a 37% increase in reported ransomware incidents in the third quarter of 2019 compared to the previous three months.
In fact, of the ransomware incidents reported in Q3 to Beazley’s in-house breach response team, Beazley Breach Response (BBR) Services, 24% were confirmed to be caused by a vendor or managed service provider (MSP). Small businesses, which often rely on MSPs to remotely manage their IT infrastructure, reported 63% of all ransomware incidents to BBR Services in 2019. And though a business’ level of reliance on its MSPs can vary, with some using an MSP to support their own internal IT resources, many small businesses outsource their entire IT operation to the MSP, from building the network, managing applications, and servicing any and all IT requests. This can create a dependent and deeply interconnected relationship that hackers sought to capitalize on in Q3.
MSPs make for ripe targets for ransomware attacks. Joshua Dann, incident response practice lead at Lodestone Security, a wholly-owned subsidiary of Beazley plc that was created to provide cybersecurity consulting services tailored to the small and mid-sized business market, observes “MSPs have to balance a need for speed and convenience when it comes to being able to respond to clients, with ensuring the right security controls are in place. Too often, speed and convenience win out over security controls.” For example, in many cases, MSPs have reused credentials across clients so that MSP employees can service multiple clients more quickly. Similarly, MSPs might not enable multi-factor authentication (MFA) on the remote access point they use to pivot to client environments.
In almost all of the MSP ransomware investigations for downstream clients that Lodestone managed in Q3, attackers exploited the remote management application that connects the MSP to the client. The same MSP user account would log into multiple client environments and install ransomware. If the MSP had set up individual user accounts for each of its clients, it is more likely that the exploitation of the single set of credentials would have only enabled unauthorized access to a single client’s environment. Further, an MSP user account often has to have full administrative access in order to assist with regular IT functions, so when credentials were compromised, the attackers had full administrative access to clients’ environments.