Channel Futures: Ransomware is making big, mainstream headlines now. But are there things that MSPs might not be aware of in terms of how ransomware could affect them? If so, can you give some examples?
Kevin McDonald: Ransomware attacks are just hours, not days, from privilege access to encryption. You don’t have long to respond. Offline backup does not protect you from a ransomware attack if those same domain admins who manage a network also manage the backup or have access to admin AD and other rights management tools. The vast majority of attacks result in unfettered access to all aspects of the network including documentation, credential managers and any system the admin can control. This is true for SMBs to the largest enterprises. Absolute separation of duties, and external insider protections are required to limit threat actors and rogue insiders from doing damage.
CF: What aren’t MSPs doing that they should be doing to protect themselves against ransomware attacks?
KM: From my conversations with many:
- Basic cyber hygiene.
- Patching all apps including OS and third party.
- Multifactor authentication (MFA) at all levels of access from network to application admin and backup.
- VPN with MFA from the outside in.
- Not placing remote desktop protocol (RDP) to the internet and using MFA.
- Network segmentation.
- Endpoint detection and response (EDR)/managed detection and response (MDR).
- Disaster recovery (DR) with insider protections.
- Updated firmware on firewalls, wireless application protocols (WAPs).
- Not using admin credentials for non-admin functions.
- Using deprecated systems.
- Allowing corporate access to unsecured wireless.
- Not using MFA on remote access tools.
- Not using geofencing.
- Not using approved only devices for critical access.
CF: Some experts are saying you should never pay a ransom. But is that realistic? Are there pros and cons, and other considerations?
KM: Not sure who those experts are, but they clearly are not experts in ransomware or are narcissistic and lack human compassion. Many organizations who spent a fortune on failed solutions are left with no options and even the FBI said making it illegal, for example, would be a mistake. I wrote this article on the whole subject. I will debate anyone in public on TV, wherever, who takes the absurd stand that we should never pay.
CF: Are there things you should and shouldn’t do if you’re hit by ransomware?
KM: This is a really long list, but here are the basics. If you think you may have ransomware or even the known precursors, do not panic, because that often causes mistakes. If you make the wrong move early in the process, you can destroy any chance of full recovery. Please take it very seriously and act quickly. Disconnect all devices from the internet, and all wireless, [then call someone for help with response]. Hesitation can be a huge mistake. Waiting a few hours or until the next morning has resulted in infections that could have been stopped.
We have seen cases where swift action on first awareness would have saved hundreds of thousands to millions of dollars in costs, months of negative impacts, and even jobs. If you make the wrong move, threat actors will often know you have discovered them and pull the trigger on their plans early. You have potentially minutes to take action to stop them from executing.
- Do not search for help, information on ransomware or any other thing that may tip off the attackers. They are very often watching what is happening on your actual computer and the network, and will trigger their encryption earlier than planned.
- Do not shut down a device that is known to be in the process of encryption. You may corrupt the OS or other applications and make recovery using the keys impossible.
- Do not communicate on the network, company-related email, IP phones, Teams, Slack, etc., as they are very often listening to and reading your communications.
- Do not communicate with the threat actor until you have the support you need. This often starts a timer, and having the right negotiator can have a massive impact on the results.
CF: What sorts of long-time effects can result from a ransomware attack?
KM: As a network security provider with years of in-the-trenches ransomware defense and enterprise-level recovery experience, we understand the real threat, and what the long and painful road to recovery can involve. We have seen firsthand companies that were successful for hundreds of years, put out of business due to a ransomware event. Companies from a single lawyer to hundreds of employees have ceased operations. Owners have liquidated 401(k)s and their life savings to just keep the company going after an event. Even where insurance is involved, the process takes days to months and always has costs above and beyond coverages.
The average ransom amount for just one of the hundreds of ransomware variants has risen to $939,063 per victim. We are here to tell you that this is also just the beginning of the costs of becoming a victim. Lawyers, incident response including forensics and remediations, reputational damage, new computing devices, potential breach notification, lawsuits, fines and more are all normal recovery expenses. Many lose employees and clients because of these attacks. These expenses are often multiples of the ransom paid. And you must pay them, even when you choose not to pay the threat actor’s ransom demand or you have a fully viable backup.
CF: What do you hope attendees learn and can make use of from your session?
KM: That no one is an expert in this stuff; the game is changing every minute. It takes teams of great minds to defend and recover from it, and you cannot pretend to do security.