Understanding what happens after ransomware helps MSPs protect against it
MSPs have an important role to play to help protect against ransomware. By better understanding what happens after ransomware attacks, MSPs can help clients guard against them.
Updated February 22, 2024We all know — more or less — how to detect a ransomware attack, and what happens during one, but we have much less visibility on what happens after.
Why should we care? It's only when we understand the "after" do we quickly realize that the full extent of the danger. It shows us why we need to check, control, and analyze any and all access to machines, servers, and the network.
The first thing to know is that, while the attackers encrypt your clients' files, while they attack their machines, your clients' work continues as normal. The main business for attackers happens after the attack.
Today the attackers don’t just infiltrate machines. They analyze all the documents they copied — stolen documents.
Ransomware is not only the encryption of information, it is the access to then allow everything.
A successful ransomware attack makes the bad actors the masters of your clients' machines. And they are going to blackmail them.
There's a clear marketing mindset to the malevolence that they have set up:
The first attack is the hostage-taking of machines and files by encryption. They ask for payment in return for the decryption of the documents they've taken hostage.
The second attack is the threat from the hackers to disclose information and to alert the authorities. Since regulations such as GDPR levy hefty fines for the non-disclosure of attacks, this second attack has proved to be more and more common.
The third attack is the auctioning of the data stolen from the companies that have not paid following the first two blackmail attempts.
Read more: How securing Active Directory can prevent ransomware attacks
Remember, everything is for sale. Login and passwords, identifiers, and all the data they can collect. Attackers put together samples of the data available and contact all potentially interested parties.
A deposit gets you a seat at the table to participate in this eBay-style online auction.
There are now partnerships between ransomware operators to take advantage of this stolen data when victims don't pay the ransom.
Operators can now download and leverage this wider pool of data to help improve their own operations.
But some distributed files get "trapped." Cybersecurity companies, who think they're doing cyber intelligence, download the files. And the company they're trying to help gets scammed once again.
The operators of the ransomware themselves are not the only ones who can launch an attack. A few months into the ransomware’s life, the business model may now switch to Ransomware-as-a-Service (RaaS).
Recruitment is simple. A bad actor can pay a rate ranging from 10 dollars to several hundred or thousands of dollars. Anyone who knows absolutely nothing about ransomware, but has a couple of tools, can leverage the ransomware to release more mayhem. These new operators can also now infiltrate, copy, encrypt, send messages and negotiate.
And the attackers who launched the ransomware to begin with? They can collect royalties. The share from any successful attack ranges from 70% to as low as 30%. This means that the initial attacker who infiltrates your clients' computer or server could receive 70% of the amount that could be raised.
And the amounts demanded as ransom are not pocket change. Some go so far as asking for $40 million — which is the case of a large New York law firm. Understandably, 30% of $40 million is tantalizing for the original operator, and a real motivation to share their tools!
Attackers even create promotional videos to sell their little "toys" on the dark digital RaaS marketplace. This and the many add-on options available for rent give a clear window into just how savvy these operators are.
Defenders are facing increasingly organized networks. And with the technology becoming even more accessible to everyone with AI, ransomware is no longer a playground reserved for actual hackers. Anyone, even employees who might want to take revenge, can attack your organization.
All of this effectively makes small and medium-sized businesses (SMB) extremely easy targets. They're just not prepared.
Managed Service Providers (MSPs) have an important role to play in protecting their SMB clients. They have a heavy responsibility because they hold the keys to their customers’ information systems.
No one today can honestly guarantee 100% security. You have to be organized beforehand and ready for the day that this kind of disaster happens. What do we have to do? What should we especially not do? Comprehensive disaster recovery and business continuity solutions help.
Key preventative and proactive measures are also needed to provide additional layers of defense against ransomware.
Vulnerability protection: Known vulnerabilities are a prime target. Ensuring operating systems and applications are patched is critical. Sure, this may seem basic. But the reality is, even in environments where you think everything is completely patched, vulnerabilities still exist. And they give attackers a door into your network.
Threat protection: If an attacker does get in, you need to have a way to stop them before they can do anything truly malicious. AV, endpoint protection, and application whitelisting are just a few types of security solutions that can neutralize a threat the moment it rears its ugly head.
Environment protection: Attacks can’t succeed without first logging onto the system containing the data of value. Having some kind of two-factor authentication coupled with contextual access controls and logon monitoring will help stop the misuse of credentials, well before an actual breach occurs.
Data protection: You need to assume the bad guys can get past the first three layers. If they do, you need a way to keep tabs on the data you deem worthy of stealing. This means using file-level or application-based file access auditing to identify and notify your client of improper access the moment it starts.