Cybercriminals were able to pull off yet another multi-million-dollar heist of a large corporation recently, with the victim this time the operator of the largest petroleum products pipeline in the U.S. Cybercriminals were able to steal over 100GB of data before encrypting and holding it ransom. To contain the incident, The Colonial Pipeline Co. took the pipeline offline for five days and paid $4.4 million in ransom to recover their data.
The gas and jet fuel shortages across the East Coast, and resulting panic buying, got most of the media’s attention. However, the more fascinating part of this story is one that didn’t get as much attention — the group behind the attack, the absolutely enormous cybercriminal industry they participate in, and the continually growing threat that MSPs face.
The cybercrime industry
There is an entire industry built on using MSPs as a conduit to robbing their customers blind. In the same way that competing MSPs may try to take your business, there are very talented, smart, and driven hackers coming together to steal it.
DarkSide, the ransomware group the FBI fingered as the perpetrators of the hack, is just one of the many participants in one of the many segments that make up the cybercrime industry. DarkSide develops a SaaS ransomware tool that criminals can use to encrypt data and negotiate ransoms. The group claims to be purely motivated by profit — as many do — and only targets businesses that have enough money to pay ransom. It also said it does not target healthcare organizations, charities, or government entities, and that it vets customers and their targets before licensing its ransomware.
The cybercrime industry is vast, with a diverse marketplace of products and services. Ransomware-as-a-Service platforms like DarkSide’s represent a tiny sliver of what the cybercrime industry has to offer. There are places where you can buy and sell anything from stolen data and credentials to off-the-shelf tools and services that help hackers pull off their heists. You can even rent a botnet to launch a DDoS attack on a foe.
DarkSide and the other players in the cybercriminal industry operate just like any ordinary business would. They have employees, set monthly and quarterly goals, compete with other companies over customers, form strategic partnerships with other organizations, and care about their reputation. They have websites, advertise their products and services, and post job listings for open positions in the organization. They even claim to donate a portion of their proceeds to charitable organizations (although those organizations have reportedly given back the funds). Cybercrime organizations walk and talk like just any ordinary business. In fact, there may not be many differences between a given cybercriminal organization and your company, aside from which side of the law you play on (although I doubt they pay taxes, at least not to the IRS).
A booming business
It’s tough to nail down exactly how much cybercriminals take home each year. Not all attacks are reported (or even discovered), so any study is only telling us a portion of the picture. But according to a study conducted by McAfee and Center for Strategic and International Studies (CSIS), the global cost of cybercrime was more than $1 trillion in 2020, an increase of more than 50% from 2018. McAfee and CSIS attribute a lot of the costs to things like system downtime, damage to the business’s reputation, IP theft, recovery costs, and insurance costs, but doesn’t put a figure on the value of ransoms collected or data stolen.
COVID-19, the cloud, and ransomware: 2020 was a rough year
The COVID-19 lockdowns are the ultimate digital transformation engine. Unfortunately, it also created the perfect conditions for cybercriminals to thrive. Lockdowns forced businesses — particularly SMBs — to find a new way to work, and in most cases, that meant digitizing and lifting processes to the cloud. But as with anything new, there were some kinks. Unfortunately, not all kinks are created equally, especially when that kink is “my bad configuration enabled someone to steal and ransom all of our data.” According to Sophos, roughly 70% of companies that hosted data or workloads in the public cloud experienced at least one security incident. The study also found that two out of three organizations leave back doors open in the cloud that can be exploited by hackers. Interestingly, only one in four respondents thought that the lack of expertise on staff was a problem (after all, who do you think accidentally left those back doors open or deployed a vulnerable configuration?)
Ransomware attacks are also up during the pandemic, although they were growing in popularity before COVID-19. A study from Emisoft forecast that the total dollar amount for ransoms demanded in 2020 would be nearly $1.4 billion dollars in the US and $25 billion worldwide. The study also calculated the average ransom in the US to be $84,000, and that one in three victims paid their ransom. Ransomware gangs have gotten smarter over the years, refining their practices to maximize the amount of revenue they can generate. Attacks like the Colonial Pipeline are becoming a best practice for most ransomware gangs. Not only do they encrypt your data until you pay for a key, but they also steal their own copy of your data. This enables them to levy two ransoms — one for a decryption tool to unlock your data, and another to ensure the destruction of the stolen data. This is very clever on the hackers’ part, because if their victim is able to restore the encrypted data from a backup they wouldn’t need to pay for a key. The additional threat of releasing the data that they stole to the public or the highest bidder — data that can include sensitive customer information, trade secrets, contracts, unflattering internal emails and memos, and so on — increases the odds of a payout for each victim that they can infect.
The double ransom means that simply backing up your data will not make you immune from the impacts of ransomware attacks. Colonial Pipeline Co. paid their ransom, even though they were already restoring their systems from backups. That’s not to say that you shouldn’t back up all your data — you should. But ideally, you want to prevent the attack from happening, which is a lot easier said than done.
MSPs are disproportionately impacted
When you zoom in on ransomware attacks against MSPs, the ransoms increase and the threat actors become much more serious. According to the Perch 2020 MSP Threat Report, the average ransom for an MSP with 3,500 seats was over $750,000. The study also found that nation-state threat actors that once targeted Fortune 500 firms have now switched their focus to MSPs. Financially motivated hackers have also taken a liking to MSPs, partly because smaller MSPs in particular have fewer resources to defend against attackers when compared to a large enterprise. Additionally, hacking an MSP means an attacker has only to crack one lock to open dozens, if not hundreds of doors.
But it’s not just ransomware that MSPs need to worry about. Sometimes, MSPs are used as a conduit to facilitate other kinds of attacks on its customers. There is no better example of how valuable a target MSPs can be than the SolarWinds hack in 2020. In this attack, hackers were able to insert malicious code into the SolarWinds Orion codebase, which was distributed to customers all over the globe. Hackers were able to access networks of customers who used the network management tool, including various organizations across local, state, and federal government organizations.
Not all MSPs have the resources or personnel to deploy strong security solutions. Fortunately, there is no shortage of security tools and services that can help an MSP keep its name (and its customers’ names) out of the papers. MSPs can partner with security service providers and farm out all kinds of robust security features, including SOC and NOC operations, to security specialists.
All data needs protection
While you think your data isn’t valuable to the hackers, you still are a target. Your data is valuable to many people and rest assured, the hackers will figure out how to get it to people who want it. Even if you let them release your data to the world, the disruption they might cause your business would be catastrophic. You might not supply fuel to the East Coast like Colonial Pipeline but your customers not receiving service for days or even weeks because your systems are crippled is its own calamity.
There is no such thing as 100% secure, but you can build walls as tall as you can: deploy the right tools, partner with the right security providers, train employees to make security-conscious decisions, constantly assess your environment, and hope for the best. You can’t mitigate all your risk, because you don’t know what you don’t know, but what you don’t know is where almost all your risks lie.