Data Resolution, a managed services provider (MSP) in California was hit by a Ryuk ransomware attack—the same malware strain that recently infected printing and delivery operations for multiple major U.S. newspapers—on Christmas Eve. As of August 2018, Ryuk ransomware had netted attackers over $640,000.
While Data Resolution, which has between 11 and 50 employees, assured customers that their managed enterprise resource planning (ERP) databases were safe, it’s unclear how much data was allegedly impacted.
A Growing Attack Trend
According to the Department of Justice, hackers are increasingly targeting MSPs. The list of malware and hacker attacks specifically targeting MSPs and CSPs (cloud services providers) continues to grow. In fact, the U.S. Department of Justice in December 2018 detailed numerous hacker attacks against MSPs.
Why? These IT service providers have access to numerous end-user accounts—a direct line to SMB data.
Continuum Senior Director of Product Management, Security, Brian Downey, weighed in on the value of MSPs and SMB data in this landscape.
“The ransomware attack on Data Resolution should leave other MSPs with no doubt: the channel is now the target for cybercriminals. Gaining access into an MSP’s service network can provide access to the individual customers they serve. Just two weeks ago we saw that law enforcement has identified the threat from organized cyber attackers and we now have the first public reports of an MSP getting hit.
The implications for MSPs are significant. End-clients will be asking their providers if their businesses are safe, if they are at risk, and what steps the MSP is taking to prevent a similar attack. If an MSP cannot confidently answer these questions in detail, they risk losing their clients to a provider who can. The liabilities to the MSP are becoming existential.
Make no mistake: this new attack proves that cybercriminals know the money is in attacking small businesses through their MSPs. Those MSPs need to have the tools and the knowledge to deal with this new threat, not only to their clients but to their own businesses.”
While this news shakes up the managed services space, the results could have been worse. There are typically two scenarios in this case of an MSP experiencing a security incident:
- The MSP is attacked and the attack renders the MSP unable to deliver service to their end customer until the MSP executes a recovery. The MSP loses some face but it is business as usual for the end customer.
- The MSP is silently attacked and the attacker leverages the MSP’s privileged access to the MSP’s end customers to attack the end customer’s data and endpoints. For example: an attacker could break into the MSP and use the MSP’s tools and access to deploy ransomware onto all of the MSP’s end customer’s servers and workstations putting the end customers out of business until a recovery is executed.
The impact on Data Resolution's end clients is unclear, but it appears to be primarily in the category of #1, with some end users who had application hosting by Data Resolution having at least some part of their business impacted. There's a partial tie to category #2 when it comes to hosted applications—but not impacting the end client's endpoints. Being in the business of disaster recovery no doubt led to Data Resolution's rapid recovery; few others might have been so prepared.
Thinking Short- and Long Term for MSPs
MSPs are becoming more aware of their risk. Numerous RMM providers have been reevaluating their software development and code quality processes in an effort to better protect their tech stack from cyber attacks. The value of the end client's data is clear to both hackers and protectors—so as MSPs continuously arm their customers with the tools and knowledge required to combat advanced threats, they must extend that mindset to their own business infrastructure.
We will continue to update this story as it develops.
By Hunter Smith
By Richard Harber
By Gretchen Hoffman