Five Recommended Ransomware Defenses For MSPs … And Our Experts Add Three More

‘If you don’t use Powershell, just uninstall it. And if you can’t, definitely monitor all Powershell calls and pretty much everything Powershell does on your system,’ says Fabian Wosar, an internationally renowned Ransomware recovery expert.

Some good. Some bad.

In the wake of the ransomware attack on 22 Texas towns three weeks ago, the Texas Department of Information Resources last week provided a list of recommended actions to help MSP stop intrusions into their networks.

CRN asked no-less-an-expert than Brian Krebs of as well as renowned, London-based “ransomware killer” Fabian Wosar about the suggestions and what methods they suggests MSPs use to guard their own tools, as well as their customer’s networks.

“One thing I see over and over again with ransom attacks is everyone seems so fixated on the backups,” Krebs said. “ ‘They must not have had backups. They must not have done that right.’ I think that’s sort of missing the forest for the trees.”

Wosar has been featured on the BBC and in The Guardian newspaper, among others, for his work in undermining the bad actors who carry out ransomware attacks.

He now works for Emsisoft, a New Zealand-based security software company, where he continues to help those hit. Wosar estimates that between himself and Emsisoft they have helped more than a million end-users with ransomware remediation, many for free.

“Hacking an MSP and then encrypting all their clients is hugely profitable. There is such a huge return on investment … its low hanging fruit,” he said. “MSPs never had to deal with it, so in a way they got away with a lot of sloppy practices, and bad cyber-hygiene. Either they were lazy or they didn’t know any better, you had a lot of them who are vulnerable to this type of attack.”

While state and federal officials have not yet said how the ransomware attack in Texas spread, one mayor said the bad actors got into the town through an outsourced IT provider whose tools were compromised. Then last week, Nancy Rainosek, Chief Information Security Officer of Texas, Texas Department of Information Resources provided some steps MSPs should take to guard themselves and their clients.

Only allow authentication to remote access software from inside the provider's network

Wosar: That’s definitely a very good recommendation, especially since RDPs are one of the main infection vectors for ransomware right now. It’s one of the most common ways that companies get hit. That’s a great recommendation. IP restrictions are definitely a good idea.

Use two-factor authentication on remote administration tools and Virtual Private Network tunnels (VPNs) rather than remote desktop protocols (RDPs)

Wosar: 100 percent. If you as an MSP get hacked, there are two main reasons why you got hacked. They reused the password and they didn’t have two-factor authentication enabled, or because you forgot to keep your RMM software up to date. It kind of baffles me to be completely honest with you, why remote monitoring and management applications don’t come with 2FA being mandatory. It boggles my mind. They must be aware of the fact of how big an issue, and how big of an impact it has when credentials get into the wrong hands. Its kind of sad that they have to be included in the list. It shouldn’t be optional at all.

Krebs: The biggest issue is a lack of multifactor authentication. A set of credentials gets compromised, or an account gets compromised and there is no mechanism that says ‘This looks weird. This login looks strange. Let’s force a multi-factor prompt.’

A lot of times we see in the MSP environment they have this turned off by default. Or it’s turned on for a time and then they turn it off. Or they turn it on for specific accounts. Anyone who has the ability to manage somebody else’s systems ought to be using strong multi-factor all the time.

The defaults matter a lot, because they hardly ever get changed. So, if the default is multi-factor authentication, and you make it very difficult for people to disable it. I think you’re doing it right.

Block inbound network traffic from Tor Exit Nodes.

Wosar: That’s kind of difficult and depending on your company network, that may not be possible at all. If you do host your webserver, then you don’t want to suddenly lock out every single TOR user out there. There are a lot of legitimate TOR users. Plus, you have to keep in mind people may not have to use TOR to attack a system. In a lot of cases, once there’s an attack and they control one server, they actually use that server as their private VPN, and pivot any further attacks from that server. I can see why that was made, but its probably not the most important one.

Block outbound network traffic to Pastebin.

Wosar: Uhm. No. That also seems really weird. Pastebin has so many legitimate uses. What if your employees use Pastebin? Text scripts and Powershell scripts can be hosted on Pastebin, but they can also be hosted on legitimately any other site, starting with GitHub, GitLab all these other places. You can’t block all the places that host text files or allow you to anonymously put some text in there. That would render a bunch of companies completely unusable. Especially inside the software development sector, where using GitHub and other places area important.

Use Endpoint Detection and Response (EDR) to detect Powershell (PS) running unusual processes.

That is 100 percent a good idea. In particular, if you don’t need Powershell, uninstall it. Powershell is the bane of everyone’s existence at this point, because its so incredibly powerful and so hard to restrict and monitor. In so many ways, Powershell is like the tool of choice when it comes to lateral movement within a network. Once you have compromised one system or one server, having to spread all the other servers as well, that is usually where Powershell comes in a lot of the time.

Again, if you don’t use Powershell, just uninstall it. And if you can’t, definitely monitor all Powershell calls and pretty much everything Powershell does on your system.

Is there anything they left out that you think ought to be included?

Krebs: My recommendation would be to get a lot more situational awareness about what is normal on your network, and what abnormal looks like. Getting hacked and getting a bunch of your customers hacked can be an existential issue for these MSPs. Again, I come back to information security governance. If the organization isn’t assuming, at any given time, that they aren’t already compromised, then they don’t really have an effective way to prevent their systems from being abused in these types of attacks.

Wosar: For an MSP, it’s maybe a good idea to have cyber insurance. Just assuming that the worst case happens and all their clients get encrypted, that they have some way to pay the ransom, no matter how high it is. The thing is, in a lot of cases, if you as an MSP get hacked and all your clients get encrypted, the ransomware authors will only negotiate with you as an MSP.

If you can’t pay, or if you go belly up, your clients are screwed because your clients can’t go to the ransomware author and try to negotiate to get their data back. So having some insurance or some policy, just for the worst case, is absolutely important.

What about backup?

Krebs: One thing I see over and over again with ransom attacks is everyone seems so fixated on the backups. ‘They must not have had backups. They must not have done that right.’ I think that’s sort of missing the forest for the trees.

For one thing, in almost all of these ransom attacks, it’s not like the bad guys get in and flip a switch and they got everything ransomed. And it’s not typical that a ransom is just going to spread by itself through the network -- although we’ve seen that with things like WannaCry and stuff that is powered by a type of worm. Most of the stuff is, bad guys get in. Might be an opportunistic compromise, right. Might be a mass phishing email, or it might be targeted. Increasingly it is targeted. But the point is, there is this one entry point. It can be weeks or months before the bad guys launch the ransomware.

So, there’s the opportunity for all potential victims to avoid that occurrence of having to suffer a ransomware attacks, if they’re set up to assume that bad guys are going to get in, and they’re set up to look for compromises inside their own environment.

The problem is, the vast majority of organizations are not set up this way. They just assume that whatever they’re doing on security is good enough. It’s kept them non hacked for years, and it looks like it’s working and then they wake up one day and come into work and all their systems are compromised.

Wosar: You have to keep in mind, once your RMM is compromised, that often means they do have access to the backups. If they can delete the backups, that is exactly what they will do. So that is like one of the ideas. You may have heard of the 3-2-1 rule when it comes to backups. You should have three copies of your data. It should be in two different locations, and one of them should be offsite. By offsite, not accessible to anyone, pretty much.

If you do manage back-ups for your clients and you can delete them, then you don’t have a real off-site copy. So maybe have an additional mirror, or an additional backup location, of your backup location that cannot be deleted.