Emerging Trend: Managed Service Providers Targeted with Ransomware

An emerging cyber-attack trend is shifting the paradigm for both cyber-preparedness and incident response: ransomware attacks targeting managed service providers (MSPs). This is, in part, because the size of these attacks can be an order of magnitude larger in terms of the number of entities that are simultaneously affected, and because of the corresponding large-scale efforts that must be undertaken to swiftly and effectively remediate these attacks.

Source: Lewis Bribois | Published on April 9, 2019

Hacker using laptop. Hacking the Internet.

Rather than taking a single entity’s systems hostage, cyber-criminals have discovered a means to spread malicious software to hundreds of different entities and thousands of endpoints at once by exploiting vulnerabilities in the software programs utilized by MSPs to perform services for their clients. Avoiding and effectively responding to these attacks both require significant coordination and preparedness on the part of both MSPs and their clients.

The Basics

MSPs provide outsourced IT department services, including network administration, support, backup, and maintenance. In essence, MSPs often function exactly like in-house IT departments—but perform their operations remotely. Outsourcing IT often makes fiscal sense for organizations, leading to substantial industry growth of MSPs in recent years. To provide their services, MSPs utilize software to install ‘back doors’ onto their clients’ systems so that they can control and manage the network environment remotely. Some MSPs have developed their own proprietary back-door solution, but many others license already existing software.

The Risk

IT providers, whether in-house or remote, are the network administrators of an entity’s information technology system. To effectively perform their operations, IT providers must have elevated “administrative privileges” within the system, meaning that they are able to utilize functions within the system that regular users cannot. When a malicious actor infiltrates a system, their goal is to gain those privileges so that they can inject malicious code or malware that can permeate the entirety of a network environment.

MSPs are the network administrators for all of their clients’ systems. This means that when a threat actor is able to obtain the administrative privileges within the MSP, they become free to install malware on the systems for every client that the MSP supports through the remote-access backdoor. Specifically, attackers leverage vulnerabilities in the remote-access software programs utilized by MSPs to infiltrate all clients’ systems simultaneously. Industry commentators call this trend a “nightmare” scenario, both because of the extensive damage these attacks can cause, and because MSPs should generally have security practices to protect against these types of attacks. The fact that attacks against MSPs are on the rise is yet another testament to the ever-increasing sophistication of cyber criminals and their organizations.


The Department of Justice highlighted the rise of MSP targeted cyber-attacks back in December, 2018, when it unsealed indictments of the Chinese hacking group, ATP 10. The DOJ noted that “the ATP10 Group targeted MSPs in order to leverage the MSPs’ networks to gain unauthorized access to the computers and computer networks of the MSPs’ clients and to steal, among other data, intellectual property and confidential business data on a global scale.”

In addition to the cyber-theft type attacks contemplated by the DOJ press release, we have noticed a rising trend in ransomware attacks against MSPs. Ransomware moves through and encrypts entire systems, holding organizations’ data hostage for payment in Bitcoin. Attackers leave a “ransom note” in the form of a text file on the encrypted systems with contact information for facilitating payment of the ransom in exchange for decryption keys. When multiple servers and endpoints are encrypted, each individual system may require a different decryption key. In the MSP context, often involving thousands of endpoints, incident response, decryption and restoration efforts become an extremely complex and time intensive undertaking.

The Ryuk and GandCrab 5.2 ransomware variants are two recent examples of MSP attacks. Both payloads were designed to move quickly through and encrypt systems in an automated fashion once they are delivered. Neither variant has publically available decryption keys (decryption keys for a GandCrab versions 1 through 5.05 were released by BitDefender in October 2018), meaning that unless organizations have viable back-up solutions to restore encrypted data, they are forced to pay the ransom or lose their data. Any organization that utilizes an MSP for IT services is a potential target.

Increasing Resiliency: Concrete Steps

For organizations that outsource their IT to MSPs, the reality is that in a mass-ransomware scenario, the MSP is unlikely to be fully available to support the individual incident response needs of the organization, because the MSP must respond to the needs of all its clients simultaneously. There are a number of steps organizations can take to increase their ability to effectively respond in this situation. As an added benefit, taking these steps may also enable the organization to augment the MSP’s response, which can generally lead to a faster remediation of the attack.

Organizations that utilize MSPs for their IT needs should consider taking these steps:

  • Backup your data separately from your network and IT. Ideally, organizations should have daily backups to an “air-gapped” backup server that is inaccessible to a ransomware attack. If your backups reside with your MSP, they are far more likely to be compromised if the MSP is targeted.
  • Map your network(s) and data, including backups. In an incident response scenario, it is important to know how your network is set up and where your data resides. Having this institutional knowledge at the ready will make it easier to organize remediation efforts.
  • Know your business/operations critical systems. Swift system restoration is of the upmost importance. Once the network is mapped, identify the systems that are critical to continuing operations so that, in the event restoration from back-up is not feasible, those systems can be prioritized for the purposes of negotiating for decryption keys.
  • Communicate with your MSP. Open the lines of communication with your MSP about the aforementioned risks. Is their software (and yours) updated with the most recent security patches? Are they aware of any known vulnerabilities? Consider formulating an incident response plan involving the MSP, and ensure that you have contractual provisions in place that require the MSP’s cooperation in the event of an incident.
  • Boots on the ground. Where an attack has successfully encrypted the data of multiple clients, MSPs will inevitably be spread too thin to respond to each and every request for information necessary to facilitate each client’s remediation efforts. Consider having a backup IT professional or company on call that can be “on the ground” to provide additional support. It is also beneficial to have an independent forensics company working specifically with your organization to negotiate with the attackers on your behalf, assist with decryption efforts, and investigate the incident’s source.
  • Cyber Insurance. Having an insurance policy in place that will respond to the costs of remediating a data security incident is crucial. Before an incident arises, be certain that your organization has the appropriate coverages in place, understand the coverages you have, and know the resources that your carrier can make available to you.