Ransomware attacks increased by 37 percent during the third quarter of 2019 compared to Q2, as cyber criminals target both IT vendors and their clients, according to data compiled by insurer Beazley.

One-quarter (24 percent) of all ransomware incidents reported to Beazley Breach Response (BBR) Services – Beazley’s in-house breach response team – during Q3 were caused by an attack on an IT vendor or managed service provider (MSP).

Small businesses, which often depend on MSPs to remotely manage their IT infrastructure, reported 63 percent of all ransomware incidents to BBR Services in the first nine months of 2019, said the report, which is based on data collected by BBR globally.

While their level of reliance on MSPs varies, many small businesses outsource their entire IT operation to the MSP – from building the network to managing applications and servicing any and all IT requests. Beazley noted this can create a dependent and deeply interconnected relationship that hackers can use to their advantage.

“IT vendors that supply small businesses often have clients that are wholly dependent on their expertise and availability to guide them through any IT issue, including a suspected or actual breach,” said Katherine Keefe, global head of BBR Services, in a statement accompanying the report.

“When a vendor itself becomes the target of a ransomware attack, it can not only expose clients to the risk of a breach but can leave them in the dark and without any IT support as the vendor battles with the initial breach and potentially exorbitant ransom demands,” Keefe said.

MSPs make for ripe targets for ransomware attacks, said Joshua Dann, incident response practice lead at Beazley subsidiary Lodestone Security, which was launched to provide cybersecurity consulting services for the small and midsize business market.

“MSPs have to balance a need for speed and convenience when it comes to being able to respond to clients with ensuring the right security controls are in place,” said Dann, who was quoted in the report. “Too often, speed and convenience win out over security controls.”

Beazley cited the example of the MSPs, which reuse credentials across their client base so that MSP employees can service multiple clients more quickly. “In almost all of the MSP ransomware investigations for downstream clients that Lodestone managed in Q3, attackers exploited the remote management application that connects the MSP to the client,” explained the report.

Alternatively, if the MSP had set up individual user accounts for each of its clients, “it is more likely that the exploitation of the single set of credentials would have only enabled unauthorized access to a single client’s environment,” continued the report.

Further, Beazley went on to say, an MSP user account often has to have full administrative access in order to assist with regular IT functions. As a result, when credentials are compromised, “the attackers had full administrative access to clients’ environments.”

When small businesses without a technical background rely entirely on outsourced IT, a massive ransomware attack inevitably leaves many in the dark, said Beazley.

“Small business owners without a technical background struggle to understand and assist external legal and forensics vendors hired to help them respond to the attack,” the report cautioned. “The response is further complicated when the MSP itself is also infected with ransomware.”

When cyber attackers know they have hit an MSP and infected downstream clients, “they may refuse to negotiate with the end clients and instead only respond to the MSP in order to increase their ransom demands.”

As a result, clients may have little or no control over their data software recovery, Beazley warned.

If a business uses an MSP as its IT solution, Lodestone recommended strong controls around the central server that the MSP uses to access a client’s environment. It further recommends asking the following questions when vetting a potential MSP:

  • Is there a security program in place, including periodic risk assessments to identify areas for improvement?
  • Is there ongoing security awareness training across the organization?
  • Is there a SSAE 18 SOC 2 Type II report or a similar type of report available to customers, attesting to security control environment? (Editor’s note: Service Organization Control, or SOC, reports analyze the effectiveness of a service organization’s internal controls).
  • If access to personally identifiable information or protected health information is necessary, how is this protected at the vendor (e.g., encryption, secure remote connections, restricted access, logging and monitoring)?
  • Are security and availability requirements enforced in master service agreement contracts (e.g., sensitive data protection, uptime guarantee/service level agreements, security incident reporting/coordination, regulatory compliance requirements)?

Source: Beazley plc

*This story ran previously in our sister publication Insurance Journal.