Sometimes it is easy to overlook the obvious when distracted by the meltdown of the moment. Still, MSPs and other security stakeholders need to take a holistic view when something happens. Often, an MSP may be so concerned – understandably – about stemming the damage from a ransomware breach that they forget to check on how the breach occurred to begin with. That can be costly, warns the National Cyber Security Centre in the United Kingdom.

A business in the United Kingdom was attacked by ransomware and paid over $6 million in Bitcoin to the hackers before recovering their data using the supplied decryptor.

“The sense of relief from recovering from such an attack and all the attention focused on decrypting data while keeping systems running and the like, whoever was in charge of their security, whether it was an MSP or in-house, forgot one thing,” says Chance Williams, a cybersecurity consultant in Tampa.

What was that “one thing?”

They neglected to make sure that it couldn’t happen again.

“This reminds me of someone who has a bird fly through an open window into their house. They are so worried about catching the bird and getting it out of their house that they forget to close the window, and soon another flies in.”

The United Kingdom Cyber Security center worded it more technically:

Without any effort to identify the root cause and secure their network. Less than two weeks later, the same attacker attacked the victim’s network again, using the same mechanism as before, and re-deployed their ransomware. The victim felt they had no other option but to pay the ransom again.”

Double-attacks aren’t as uncommon as you might think. “You’d be surprised how often this happens,” Williams says.

In fact, according to the FBI, 50 percent of ransomware attacks are “second helpings.” The double dip ransomware attacks can hit the mom and pop businesses to sprawling multinational corporations.

A small radio station in Michigan found itself in the crosshairs twice in 2015 when ransomware was ramping up. The attackers demanded $500, which seems quaint in today’s ransomware world, which regularly nets hackers millions. On the other end of the size spectrum, shipping giant Pitney-Bowes was hit with an attack In October 2019 and then again last year.

“I’m not saying this happened with Pitney-Bowes, but some companies and MSPs think that if they have been hit once, it won’t happen again, and that simply isn’t the case,” warns Williams, adding that some enterprises are more vulnerable to second attacks than others.

Educational institutions that often have thin IT benches can be especially prone to second hits. A school system in Connecticut found out the hard way about getting hit twice by ransomware in 2019. When it didn’t pay the ransom the first time, hackers struck a second time and held teacher’s lesson plans hostage.

The National Law Review surmised after the Connecticut incident: “Municipalities and school systems are targets because of lack of resources. Only when adequate resources are provided to implement basic cyber hygiene, employees are provided education to combat intrusions, and back up programs are implemented, will the root of the problem start to be addressed. “

Preventing a second ransomware attack

Other than looking for the source of the ransomware attack, steps for preventing a second attack, Williams says, are the same as preventing a first.

“It all comes down to cybersecurity fundamentals, hackers are constantly probing and if they find a single weak spot, they’ll get in,” Williams says. Basic steps MSPs should be taking include:

Look for backdoors: Sophisticated hackers can create a backdoor that can go undiscovered without extensive forensic analysis. Such analysis can be costly, but if you can’t isolate the entry point, it’s worth the cost to dig deeper.

You can’t just “fix” things and assume they are fixed. The first step of recovering from a ransomware attack is to figure out where the breach occurred.

Patch, patch, patch: Smarter MSP is continually reminding about the importance of patching. It’s a reminder that can’t be put out there enough.

“Patches are released because there are known vulnerabilities, and that means the hackers know about them also. Not applying patches in a timely fashion is irresponsible and potentially costly,” notes Williams.

Educate and engage: MSPs and IT personnel need to educate and engage employees about phishing dangers constantly.

“But I think more needs to be done, simply reminding people not to open suspect links isn’t working,” suggests Williams, adding that the education needs to be paired with engagement.

“Talk to employees and find out what is on their mind. People get distracted and open things they aren’t supposed to. But approaching employees in an engaged and caring manner can make all the difference,” advises Williams. “Make employees true stakeholders.”

MSPs should never assume that just because a client is breached once it won’t happen again, because there’s a strong possibility it can happen again.

Photo: cuomoauronap / Shutterstock

Kevin Williams

Posted by Kevin Williams

Kevin Williams is a journalist based in Ohio. Williams has written for a variety of publications including the Washington Post, New York Times, USA Today, Wall Street Journal, National Geographic and others. He first wrote about the online world in its nascent stages for the now defunct “Online Access” Magazine in the mid-90s.

One Comment

  1. Avatar

    […] security measures an MSP must take is ensuring that software security vulnerabilities are patched promptly and regularly. But patch management is just one part of the multilayered security to protecting customers from […]

    Reply

Leave a reply

Your email address will not be published. Required fields are marked *