WHITEPAPER

The MSP’s Response Guide

to a Ransomware Attack

2019 msp360.com
 The MSP’s Response Guide to a Ransomware Attack

Because Managed Service Providers typically hold sensitive data for a large number of clients,
they are becoming a major target for cyberattacks.

Instead of an attack targeted at a single company, if a hacker manages to compromise the

systems of an MSP, they can potentially gain access to data and systems held and managed on
behalf of a large number of third-party companies.

There are many advantages to using an MSP business model, but you should also be aware
of the risks of doing so. In this guide, we’ll look at how MSPs should respond to a ransomware
attack.

Common MSP Vulnerabilities

There are at least three reasons why MSPs have become such a target of cybercrime in recent
years.

The first is simply that the data held by MSPs is extremely valuable and extremely broad.
Most MSPs will hold data for a large number of clients, and this will normally be stored in a
centralized, encrypted system. Breaking into this system will give an attacker access to a huge
amount of data that can then be ransomed back.

Secondly, the nature of the MSP business model provides a large ‘surface area’ for an
attack. The typical MSP will have in place professional services automation (PSA) tools,
remote monitoring and management (RMM) tools, and enterprise resources planning (ERP)
applications, any of which can form the target of an attack. MSPs will also put in place cloud
data storage, and sometimes even provide remote desktop solutions, which add another level
of vulnerability to their systems.

Third, the huge rise in the number of MSPs means that some hackers are beginning to
specialize in attacking this kind of company. Though there are some reports that ransomware
attacks are decreasing across the cybersecurity landscape, the same cannot be said for MSPs
and a closely related business model, Software as a Service (SaaS).

MSP’s Assets to Stay Safe from Phishing

White-Label Downloadable Assets

Download Now

© 2019 MSP360. All rights reserved. 2 msp360.com

 The MSP’s Response Guide to a Ransomware Attack

Prevention
All this said, if an MSP takes security seriously, there is no reason why this kind of system
cannot be as secure as more ‘traditional’ infrastructure. Ultimately, responding to a
ransomware attack relies on MSPs having good prevention measures in place.

Some of these – such as the use of anti-malware tools and regularly updating software – are
universal for all It systems, but there are also a number of steps that are particularly important
for MSPs:

ʼnʼn First, appropriate cyber insurance should be in place. Responding to a ransomware attack

can consume a significant level of resources, and even the largest MSPs will have difficulty
marshaling this at short notice.

ʼnʼn Second, significant care should be taken in hardening backup systems. This should
include a system for securely backing up data, applications, and a process for storing this
information securely. Ideally, backups should be ‘gapped’ so that they cannot be accessed
by a malicious intruder.

ʼnʼn MSPs also need to put in place endpoint monitoring tools that monitor their client’s
systems for signs of ransomware infection. Though clients are sometimes resistant to
having their systems monitored in this way, endpoint monitoring can allow MSPs to
‘quarantine’ infected client systems, and avoid the spread of malware across their larger
networks.

Response
Once these systems are in place, MSPs should also develop a ransomware attack response
plan, and this should include the following steps are a minimum:

ʼnʼn In this first instance, contact your cyber insurance broker, who should be able to deploy
critical resources on your behalf. This could include forensics, consumer remediation, and
legal support.

ʼnʼn Do not contact the attacker directly from your domain. Typically, attackers will not know
the identity of the system they have compromised, and may just know the IP address of the
affected system. Telling them who you are could lead to a greater ransom demand.

ʼnʼn Similarly, do not give the attacker any information about your network infrastructure. Even
the smallest piece of extra information might be exploited to exacerbate the attack.

ʼnʼn Make sure that you have checked all possible standards of encryption and decryption
before paying a ransom. Decryption keys for some ransomware variants exist in the public
domain, are maintained by digital forensics firms, or are maintained by the FBI.

© 2019 MSP360. All rights reserved. 3 msp360.com

 The MSP’s Response Guide to a Ransomware Attack

ʼnʼn If you are forced to pay the ransom, don’t do this directly. Instead, use a trusted third party
that complies with anti-money-laundering laws.

ʼnʼn When it comes to rebuilding your network after decryption, you should carefully vet all your
systems before bringing them back online. In many cases, the decryption keys supplied
by attackers will, in themselves, contain malware. A thorough forensic audit of all of your
systems will prevent repeat attacks. And do not forget that you need a solid backup as a part
of your response plan to be able to recover all the lost data in case of a successful attack.

Further reading Learn how backup can save your back in case of ransomware attack

Managing Clients
Finally, often the most difficult part of handling a ransomware attack is managing clients’
frustration and their potential distrust of your services. Clients should be dealt with in a
transparent manner in order to manage these issues.

Ultimately, most companies today realize that ransomware attacks are an implicit risk of being
online. As long as you can prove to them that you have reliable prevention measures in place,
and are capable of responding to these attacks professionally, you can maintain the trust of your
clients.

About MSP360
Established in 2011 by a group of experienced IT professionals, MSP360™ provides cloud-based
backup and file management services to small and mid-sized businesses (SMBs). MSP360’s
offerings include powerful, easy-to-use backup management capabilities and military-grade
encryption using customer-controlled keys.

Customers can choose to store their backup data with more than 20 online storage providers,
including Amazon S3 and Amazon Glacier. MSP360 also collaborates with thousands of VARs
and MSPs to provide them with turnkey, white-labeled data protection services. It has been an
Amazon Web Services Advanced Technology Partner since 2012. MSP360 has also achieved
Storage Competency Partner status in the AWS Partner Network.

Subscribe for more MSP content

Subscribe for our email newsletter to receive updates on the
latest news, tutorials and comparisons

Subscribe

© 2019 MSP360. All rights reserved. 4 msp360.com