Recent shifts in the tactics used by ransomware gangs are poised to make MSPs or managed security service providers (MSSPs) a must have for small and midsized businesses.
New research shows that ransomware attacks are getting quicker and stealthier, and that bad actors prefer to attack organizations at night — when they are least well staffed.
These changes in the threat landscape offer a significant opportunity for MSPs and MSSPs to step in as trusted security partners. Service providers can deliver the 24/7 monitoring and rapid response that SMBs now desperately need but struggle to maintain in house.
New Ransomware Tactics
For several years, the most significant cyber threat was “big game” ransomware attacks. These are cyberattacks carried out by teams of criminal hackers who break into organizations’ computer networks, steal their data, and encrypt their desktops, laptops, and servers.
By compromising entire organizations rather than individual computers, ransomware gangs have discovered they can demand enormous ransoms.
In the last year, the U.S. has seen a 63% surge in big game attacks while the average ransom payment climbed to over $600,000, and the average cost of recovering from a ransomware attack surpassed $4.5 million.
The threat of breaches by big game ransomware groups has driven the widespread adoption of endpoint detection and response (EDR). This security technology gives skilled security staff the power to spot the suspicious activity of criminal hackers who are preparing a ransomware attack within an organization’s networks.
Evolved Ransomware Attacks
The adoption of EDR appears to have pushed ransomware gangs to evolve their tactics in three ways over the last year:
No. 1 Living off the Land (LotL)
Ransomware gangs use legitimate computer administration software already within a victim’s environment to do their dirty work. This is an attempt to disguise their presence and minimize the number of suspicious EDR alerts they generate.
Mark Stockley
No. 2 Nighttime Attacks
Ransomware gangs often launch attacks in the early morning hours — typically, between 1 a.m. and 5 a.m. — when IT staff are likely off duty. This reduces the chances that suspicious EDR alerts generated by attackers will be seen before an attack is concluded.
No. 3 Faster Attacks
The speed of ransomware attacks has increased significantly. Activities that once took weeks to unfold can now be over within a few hours. This minimizes the time security staff have to identify and respond to suspicious EDR alerts.
MSPs/MSSPs are Essential Security Partners
Combatting these new tactics presents a daunting set of challenges to companies without a security operations center (SOC). Realistically, businesses can only meet this by engaging third-party service providers.
For MSPs and MSSPs, this is an opportunity to expand service offerings and deepen client relationships. They can provide three vital services that SMBs struggle to do in-house:
- 24/7 Coverage: Round-the-clock monitoring is vital to combat ransomware gangs that attack at night or at weekends.
- Skilled EDR Operation: Though organizations have deployed EDR, many lack the security experience and skills to identify the signs of stealthy attackers using LotL.
- Rapid Response: Ransomware gangs can enter, explore, and encrypt a business network in a matter of hours. So, once they detect suspicious activity, security staff for SMBs must respond immediately.
Positioned for Growth
By addressing these emerging ransomware tactics and providing the services that organizations need to combat them, service providers can protect their clients. This is a great way for MSPs and MSSPs to position themselves as indispensable partners in the fight against cyberthreats.
Mark Stockley is cybersecurity evangelist for global cybersecurity company Malwarebytes, supporting its corporate product line, ThreatDown. He’s a renowned cybersecurity researcher, writer, presenter, and an industry expert.
Featured image: iStock
