‘Ignorance,’ ‘Apathy’ Fueling Plague Of Ransomware Attacks

“There’s a very ubiquitous best-practice among the top performing MSPs, which is they don’t sell levels of security … the most advanced security is the standard security and you can’t get into an agreement with the MSP without it,” advises Paul Dippell, CEO of MSP consultant Service Leadership, who said despite the headlines, end-users fail to grasp the threat of ransomware.


Managed service provider Rich Delaney was recently asked to look at a small town’s network to get an idea of what it would need to upgrade its cybersecurity.

Minutes later, he could have gotten inside their email server.

“I said, ‘I haven’t even done anything and I could log into to your email,’” he said. “It was wide open to the world. … There was no next-gen firewall looking for intrusion protection. That’s me without using a single sophisticated hacking tool. The problem is around the general understanding. In this case it was ignorance, No. 1. Secondly, apathy.”

Sponsored post

[Related: 'Coordinated' Texas Ransomware Attack Whacks 23 Local Governments]

Delaney—owner of Delaney Computer Services, an MSP with offices in New York City and New Jersey with multiple municipal clients—is one of a growing number of MSPs concerned about the spread of ransomware attacks targeting state and local governments, such as the recent blitz against 22 towns in Texas.

Since many small cities and towns lack the resources to carry a full-time IT staff, they outsource the work to MSPs. That has made MSPs the last line of defense in an escalating battle with hackers.

Paul Dippell, CEO of MSP consultant Service Leadership, which surveys thousands of MSPs to discover the industry standards for how to run a healthy business, said one of the most stubborn obstacles today remains end-users unwillingness to believe they are going to be attacked. He said, the most successful MSPs have discovered a work-around, however, which is to only offer one form of security: the best.

“There’s a very ubiquitous best practice among the top performing MSPs, which is they don’t sell levels of security. If you look at the lower performers they offer clients regular security, or advanced security. Seventy-percent of clients presented with that choice will say ‘I’ll go with regular’ thinking incorrectly that that will protect them,” Dippell said. “It’s a mistaken marketing strategy by the lower performing MSPs that they should have these two levels. If you look at the top performers, the most advanced security, is the standard security and you can’t get into an agreement with the MSP without it.”

Doug Robinson, executive director of the National Association of State Chief Information Officers, told CRN that few politicians grasp the dangers to their own communities. Four days before the attacks in Texas, he presented a study that showed a fivefold increase in phishing strikes on states and municipalities.

“I wish I thought it was going to be a wake-up call for local jurisdictions,” Robinson told CRN. “I think so many of them have so few resources to dedicate to this, that this is a question of the politically appointed and elected leaders of cities and counties and states understanding that cybersecurity is a business risk to the continuity of government.”

In the midst of restoring his town’s network last week, Keene, Texas, Mayor Gary Heinrich told NPR that the vector for the attack that hit his town appeared to be the contractor the town had hired to outsource its IT services. He told the radio station that software used by the contractor was used to hit other towns that were targeted.

"They got into our software provider, the guys who run our IT systems," Heinrich told NPR. "A lot of folks in Texas use providers to do that because we don't have a staff big enough to have IT in-house."

Heinrich did not return several calls for comment from CRN.

The mayor’s description of how the attack spread sounds similar to many of the successful attacks that have been run this year against MSPs whose credentials were compromised, allowing bad actors to spread ransomware through powerful tools made by ConnectWise, Kaseya, Continuum, Webroot and NinjaRMM.

CRN reached one of the MSPs who provided IT services to Kaufman and Lampasas, Texas, two of the municipalities hit by the Texas ransomware outbreak. TSM Consulting declined to comment over the phone or by email, citing the still-unfolding federal investigation.

“We are unable to comment at this time because of the ongoing FBI and DIR investigation,” Rick Myers, founder of TSM Consulting, said in an email to CRN. “My suggestion is you contact the State of Texas DIR.”

Texas DIR referred questions to the FBI, which had no comment. Texas DIR instructed towns to enable multi factor authentication, keep patches and antivirus up to date, perform regular backups, and limit the granting of administrative authority.

“To solely blame the MSP is wrong, unless we know something,” Delaney said.

Delaney said attacks like this underscore the need for cities to put a person in charge of cybersecurity for their jurisdiction.

“The general understanding of cybersecurity is very low,” he said of local governments. “They haven’t fully grasped that they use technology for everything. The mayor, the town manager, whoever is in charge should appoint a CISO [Chief Information Security Officer]. They need it now.”

He said the town that asked for his network assessment had a small, in-house IT staff, but none who had cybersecurity training.

“There was no accountability,” he said. “No one was saying, ‘Hey, we need to send this guy to school and give him some authority. We need to give someone this responsibility.’”

He said the attacks that are crippling cities and towns across the country could be easily thwarted with better training. However, he sees many cases in which end users throw up their hands and feign ignorance, saying ‘It’s not my problem,’” he said.

“It is your problem,” he said. “This isn’t 1997 where you can say I’m new to computers. You’ve pretty much been using computers for the last 25 years of your life, and you’ve never gotten any better at it? We get this a lot … that attitude of apathy about technology needs to go away. People should realize, ‘Hey it’s something I have to live with, so I have to get better at it.’ Companies need to improve training for tech solutions.”

Michael Goldstein, president and CEO of LAN Infotech, an MSP based in Fort Lauderdale, Fla., said last year his company implemented two-factor authentication (2FA) across as many tools as would allow it. He also briefs new clients on the latest, best practices. Many Florida businesses already have a “high backup posture” due to tropical storms and hurricanes that threaten the Sunshine State every year, he said.

“You can get hit, but if you have a good backup plan, we can restore from it,” he said. “I think there’s a lot of awareness in place. In my bag, in my trunk right now I have printed materials from the Secret Service where it talks about Ransomware 101. Who to call? What to do? How to report it? It’s not just the sales guy trying to sell it. When I put a real logo on it, not just my logo, it resonates a little more.”