The major ransomware attack against Kaseya VSA this summer hit managed service providers hard. When the software vendor experienced one of the largest attacks to date, it impacted dozens of MSPs and their clients—an estimated 1,500 companies.
MSPs have gained traction, especially in the past year, with more and more IT departments turning to them for a number of reasons—including the desire to improve security and reduce costs. For MSPs impacted by the Kaseya attack, that meant it also affected their customers. And this marks a renewed warning for channel partners about what they need to watch out for when it comes to ransomware and supply chain attacks.
The attack on Kaseya was, unfortunately, yet another in a string of high-profile ransomware incidents. Ransomware attacks have increased in volume, morphing and evolving through the years into the debilitating attacks we see today. According to a recent Global Threat Landscape Report from FortiGuard Labs, ransomware attacks increased tenfold in the first half of 2021 and became even more disruptive.
What to Do If You Are Impacted
The unfortunate reality is that it’s not a matter of if but when your company will be affected by a ransomware attack. In the wake of the Kaseya attack, the FBI and CISA released guidance for affected MSPs that is relevant for any such supply chain/ransomware attack. These recommendations include:
- Use a manual patch management process according to vendor remediation guidance, including installing new patches as soon as they become available.
- Ensure backups are current and stored in an easily retrievable location that is air-gapped from the organizational network.
- Implement multifactor authentication and principle of least privilege on key network resources and administration accounts.
It’s also important, as difficult as this can be, to stay calm and follow your documented incident response plan.
If you don’t already have a documented incident response plan in place, start creating one now, because this is crucial. The steps below will help, but you can also reach out to your security vendor for help. When you report the incident to your insurance company, they also may have a list of expert security providers who can help you.
Steps Your IR Plan Should Contain
When it comes to your incident response plan, it should include:
- Stop the spread: First, identify the range of the attack. If the incident is already known to be widespread, implement blocks at the network level, such as isolating traffic at the switch or the firewall edge, or temporarily take down the internet connection. If the incident scope is narrower, consider isolating attackers at the device level by pulling the Ethernet or disconnecting the Wi-Fi. If available, endpoint detection and response (EDR) technology can block the attack at the process level, which would be the best immediate option with minimal business disruption.
- Find the initial point of access: Identifying the access point will help find and close the hole in your security. This is sometimes difficult and may need the expertise of digital forensics teams and IR experts.
- Find your backups and determine integrity: With many ransomware attacks, cybercriminals have usually been in your network for days, if not weeks, before deciding to encrypt your files. This means that you may have backups that contain malicious payloads that you do not want to restore to a clean system. Scan your backups to determine their integrity.
- Sanitize your systems or rebuild: If you feel sure you can identify all the active malware and incidents of persistence in your systems, you may be able to save some time by not rebuilding. But it may just be easier and safer to create new, clean systems. You might even want to build an entirely separate, clean environment that you migrate to. If you are running a virtual environment, this should not take too long. When rebuilding or sanitizing your network, make sure the appropriate security controls are installed so devices don’t get reinfected.
- Make a report: You should also determine if you are required to report to law enforcement. If the attack is severe, and your business spans multiple geographical regions, you may need to contact national law enforcement services instead of a local or regional-based law enforcement agency.
Be Ready
As an MSP, your reputation depends on your ability to keep your own company secure and reliable. You must be ready to meet the challenge of ransomware and supply chain attacks. Many customers are relying on you for their essential services; you can’t afford one minute of downtime. Use the best practices noted above to create or refine your incident response plan so you can keep your cool and react quickly.
JON BOVE is vice president of channel sales at Fortinet.