Datto Warns MSP Attacks Are ‘Skyrocketing’

Ransomware attacks via MSPs are on the rise, growing from one attack about 18 months ago to five attacks just this week alone, according to data protection vendor Datto.

The MSP market has become the key point of attack for bad actors looking at ways to get inside businesses to access their data and inject ransomware.

That's the message from Eric Torres, director of channel development for Norwalk, Conn.-based provider of data protection and MSP platform technology developer, to an audience of solution providers and MSPs at this week's XChange 2020 conference in San Antonio, Texas, hosted by CRN parent The Channel Company.

The rate of attacks is also growing, from one attack about 18 months ago to five attacks just this week alone, Torres said. "The rate of attacks are skyrocketing," he said.

[Related: ‘This Can’t Be Happening’: One MSP’s Harrowing Ransomware Story]

It’s critical that MSPs take steps to protect themselves and, by extension their customers, from attacks, Torres said.

The idea of an MSP getting its own house in order before talking to customers really resonated with Landy Kindle, director of marketing and sales operations at Tech Heads, a Portland, Ore.-based MSP.

"Being able to show how we've protected our own environment is a great way to show what we can do for our customers," Kindle said.

Tech Heads is currently in the process of building a practice around Center for Internet Security, or CIS, controls, Kindle said.

"We're taking a systematic approach to security," he said.

Kindle said he has yet to see ransomware attacks against customers via Tech Heads.

"Our managed services practice is relatively new," he said. "But we have been in with customers to remediate issues."

Torres told solution providers at XChange Sunday that the ways in which attackers are going after MSPs is changing quickly.

"[Attackers] figured out what MSPs do," Torres said. "And they find you have the keys to the kingdom. ... MSPs are increasingly under attack. And [attackers are] doing it with the tools we provide."

Threats are coming from a wide variety of attackers, Torres said. They include ransomware developers who make a ton of money staying one step ahead of the latest protection technologies, insider threats from disgruntled employees who leave the MSP back door open, organized crime, nation-states, and IoT hackers going through thermostats and cameras.

Those attackers are really working through some quite unsophisticated methods, Torres said.

These include phishing attack via MSPs, brute force attacks with software purchased via the dark web, password engineers who take advantage of lazy users who store their passwords in their browsers, and users who do not change their passwords, he said.

Those kinds of attacks can be costly, Torres said. Citing a recent New York Times report, he said the average ransomware ask in the last quarter was $84,116, which was double that of the prior quarter, which was double that of two quarters ago, he said.

However, most attackers ask for $1,000 to $3,000, an amount which is small enough that many of those attacks are not reported, he said.

Datto Chief Information Security Officer Ryan Weeks has led the company's response to the attacks in several ways, Torres said. After spending time with both large and small MSPs, Weeks found that many have configuration issues that leave them at risk, and they are not following best practices to protect customers, Torres said.

Datto is responding by pushing customers to adopt mandatory two-factor authentication, and the company itself is making two-factor authentication mandatory for its professional services automation platform, he said.

Datto is also proactively monitoring MSPs' portals via the dark web, automatically looking for bad IP addresses which indicate problems, he said. The company has also implemented technology that prevents the deletion of secondary data unless it has been safely backed up, he said.

Torres said Datto is also working with fellow MSP-focused technology vendors and competitors to jointly help MSPs, including Ellicott City, Md.-based Huntress Labs; Tampa, Fla.-based ConnectWise; and Kaseya's Bowie, Md.-based ID Agent.

He cited a recent example, covered in CRN, where Datto, Huntress Labs, and ConnectWise worked together to identify a former MSP employee who sold that MSP's credentials. As a result, that former employee was recently arrested.

Datto has also joined the MSP ISAC, or Information Sharing And Analysis Center, which is a group of vendors who, if they hear of an issue pass the information to their peers, including competitors, Torres said.

Datto on its own has published a checklist of priorities to ensure MSPs are safely handling customers' information, Torres said. Those priorities including auditing all technology solutions, user accounts, and roles; defining off-boarding plans on how to handle how data is secured is an employee leaves; and restricting RDP (remote desktop protocol) access to users who are only on the company LAN.

"These are all the little things you guys are probably doing, but a checklist lets you say, 'I'm doing that,'" he said.

The move to protect customers from ransomware attacks can be turned into new business opportunities, Torres said.

For instance, he said an MSP can run through the checklist to make sure their own houses are in order, and can then use that list to show customers what they have done for themselves that can be applied to those customers.

The checklist can also be the springboard for things like introducing co-managed IT services, particularly for midsize and larger customers. "A lot of them are less safe [than smaller customers] because they don't have someone inside focused on protecting them," he said.