Blog
← Back to Blog
August 20, 2019 cybersecurity

Ransomware Is Now Targeting IT Companies to Hit Hundreds of Businesses at Once

Supply chain security attack IT infrastructure and managed services

A disturbing trend is emerging in 2019: ransomware attackers are targeting managed service providers (MSPs), the IT companies that manage technology for multiple small businesses. By compromising one MSP, attackers can deploy ransomware to dozens or hundreds of businesses simultaneously.

In August alone, 22 Texas municipalities were hit simultaneously through a shared MSP. Earlier this year, several dental practices in Wisconsin were crippled when their MSP was compromised. The attacks are coordinated, devastating, and growing.

How It Works

  1. Attackers identify an MSP that manages IT for multiple businesses
  2. They compromise the MSP's remote management tools (the same tools used to maintain client systems)
  3. Using those tools, they push ransomware to every client simultaneously
  4. Hundreds of businesses wake up to encrypted systems on the same morning

The remote management tools that make MSPs efficient are the same tools that make them dangerous when compromised. ConnectWise, Kaseya, Datto, and similar platforms provide deep access to client systems. If an attacker gains access to these platforms, they effectively have admin access to every client.

Why This Is Different

Traditional ransomware attacks hit one business at a time. MSP-targeted attacks hit every client of the compromised MSP. The scale is multiplicative. One successful attack can produce hundreds of ransom payments.

It's also particularly cruel for the affected businesses. They chose to outsource IT specifically because they didn't have the expertise to manage it themselves. The entity they trusted to protect them became the vector for the attack.

What to Ask Your IT Provider

If you work with a managed service provider, ask these questions:

  1. How is your remote management platform secured? Is 2FA enabled? Are access logs monitored? Who has admin access?
  2. Do you segment client access? Can a compromise of one client's systems spread to others through your management tools?
  3. What is your incident response plan? If your systems are compromised, how do you protect clients? How quickly can you isolate affected systems?
  4. Do you carry cyber insurance? If a compromise of your systems damages my business, what coverage exists?
  5. How do you vet your own vendors? The tools your MSP uses (remote access, backup, monitoring) are part of your supply chain too.

What You Can Do

  • Maintain independent backups. Don't rely solely on your MSP's backup solution. Have at least one backup that's independent of your MSP's systems and credentials.
  • Limit MSP access. Your MSP needs access to manage your systems, but does every technician need admin access to everything? Work with your MSP to implement least-privilege access.
  • Monitor your own systems. Even with an MSP, pay attention to unusual behavior. If you see something strange, report it.
  • Have a contingency plan. If your MSP is compromised and unavailable, do you have an alternative way to get IT support? Can you operate manually for a few days?

Trusting an MSP with your IT is reasonable. Trusting them without verification is risky. Ask the hard questions. Your business depends on their answers.