This content is part of the Essential Guide: MSP security essentials for every IT service provider

Ransomware infections: Channel toils to defend besieged customers

Channel partners are working with customers on ransomware defense strategies and risk mitigation amid a rising tide of costly and disruptive infections.

Ransomware attacks have escalated in recent years, a trend to which channel companies can attest.

A recent report from Datto Inc., a data protection vendor based in Norwalk, Conn., found that nearly 100% of managed service providers (MSPs) said ransomware attacks at small businesses are occurring more frequently, a pattern they expect to continue over the next two years. Additionally, more than 91% of respondents reported their clients have been the victims of ransomware infections, and 40% of those clients have been attacked six times or more in the last 12 months.

The increase in ransomware attacks has meant that for companies like GCS Technologies Inc., an IT solution provider based in Austin, Texas, more time is being spent on prevention as well as solving IT problems in the aftermath of an attack

"Ransomware infections are the single largest hourly tickets we work. They range in time from five hours up to 50 hours, depending on the severity of the infection and the quality of the backup systems," said Joe Gleinser, president and founder of GCS Technologies.

Gleinser said about 10% of his company's customers have been affected to date with 1% affected more than a single time. He said the company has seen 39 ransomware infections this year out of 400 customers, and he expects that to grow to more than 20% in the next year.

Joe Gleinser, founder, GCS TechnologiesJoe Gleinser

He added that ransomware differs from other security threats because the likelihood of infection and the damage caused by infection is greater than what his company has seen from other Malware. Gleinser said he thinks the financial risks will be greater in the future.

"The financial losses are relatively tame compared to [Automated Clearing House] ACH attacks or other hacks. This won't last though," Gleinser said. "The ransomware attackers will learn they can ask for far more. One of our clients had all their servers' infected, and 30 desktops. They asked for only $2,000 in Bitcoin. They could have asked for $20,000 easily."

The ransomware disconnect

In a ransomware attack, perpetrators use malicious software to steal and encrypt mission-critical data while blocking access to computer systems until a sum of money is paid for the decryption key. Last year, the FBI's Internet Crime Complaint Center (IC3) identified CryptoWall as the most current and significant ransomware threat targeting U.S. individuals and businesses.  According to IC3, CryptoWall and its variants have been targeting U.S. victims since April 2014.

Paying the ransom, however, is just the start of the financial burden victims must bear.

Ransomware infections are the single largest hourly tickets we work.
Joe Gleinserfounder, GCS Technologies

According to the FBI, ransomware fees typically range between $200 and $10,000, but many businesses shoulder additional costs associated with network mitigation, network countermeasures, legal fees, IT services and loss of productivity. Between April 2014 and June 2015, the IC3 received 992 CryptoWall-related complaints, costing victims more than $18 million.

Downtime can prove particularly costly. A study by research firm the Aberdeen Group found that the average cost of downtime per hour is a staggering $163,674.

Despite the growing evidence that costly ransomware infections are on the rise, the vast majority of MSPs believe a gulf exists between how seriously they view ransomware versus their SMB customers, according to the Datto report.

The Datto survey polled 1,100 MSPs about the impact of ransomware on their SMB customer sites.

Datto Ransomware Report 2016

In one key finding, 88% of MSPs described themselves as "highly concerned" about ransomware, but when asked to rate how seriously their customers view ransomware, only 34% of MSPs said their customers felt the same way.    

Rob Rae, vice president, business development, DattoRob Rae

"I'm not surprised that so many IT solution providers said they are highly concerned, but what is surprising is their interpretation of how they feel their customers don't have the same level of unease about ransomware," said Rob Rae, Datto's vice president of business development. "That tells me there is a significant concern that solution providers think they may not be able to stop this effectively or they may not be able to convince customers that they need to invest in tools to stop ransomware attacks."

Raising awareness

That said, channel partners have numerous opportunities to offer consulting services and IT skills to help customers mitigate the risk of a potential attack as well as contain an attack if one occurs. The documented financial drain of ransomware may help channel companies cost justify a project.

"Ransomware is unique in that there is a definite and tangible value around it -- the cost of the ransom that is to be paid and the impact to operations in the meantime," said Kyle Bubp, security practice lead at VeriStor Systems Inc., a company based in Duluth, Ga., that provides virtual infrastructure and enterprise storage products and services to enterprise and midmarket companies.

Bubp added that other types of attacks and infections aren't always quite as easy to quantify, and the difference makes it easier to assign real potential value to ransomware prevention mechanisms and education, as well as disaster recovery and business continuity services and tools.

Chris Crider, senior technical consultant, Force 3Chris Crider

In some cases, the ransomware threat has caused companies to reconsider their IT security posture.

"I've been telling customers that they've got security holes in their system, but their response has been, 'We'll be fine; we won't get hit,'" said Chris Crider, senior technical consultant at Force 3, a network security and data center technology company based in Crofton, Md. "With the rise of the ransomware epidemic, IT executives are starting to realize that what they've done before does not necessarily complete their IT security defense systems."

Mike Stines, security solutions architect, SoftchoiceMike Stines

"The customers I work with that have a more mature security program are not being impacted by ransomware as much as those who have an immature or ad hoc security program," said Mike Stines, security solutions architect at Softchoice Corp., an IT solutions and managed services provider.

Those customers with ad hoc security programs are rapidly recognizing the need to have a framework in place that they can measure themselves against and identify security gaps, he noted.

"Organizations are moving from ad hoc security programs to a more structured security program," Stines said. "It's unfortunate that it's taking ransomware to do that."

Mitigation strategies

Stines said a key step toward dealing with the threat of ransomware infections is elevating the issue to the level of other risks an organization faces. Businesses should plan in advance for the potential impact of a ransomware attack, just as they would for a power outage, he noted.

"It is all risk management," Stines said.

To create a better security system, companies must also spend more on IT security tools and adopt several approaches that IT service providers can assist clients with such as educating staff on ways to identify infected emails and creating visibility across IT systems to detect malware, Crider added.

Crider said his company recommends tools such as Cisco Advanced Malware Protection (AMP), to track files in the network and identify where, when and how a malicious file entered the system.

"Cisco AMP allows us to watch files that are not malicious today and identify them when and if they become malicious tomorrow. The software helps us to contain infected files before they become a prevalent problem," Crider said.

Tony Anscombe, senior security evangelist, AvastTony Anscombe

Tony Anscombe, senior security evangelist at Avast, a security software company headquartered in Prague, said classic security threats are typically managed through strong perimeter protection, virtual private networks and physical security. However, ransomware uses social engineering to drive new attack vectors, and since people often access personal email via browsers, the corporate perimeter protection is not enough.

Bubp added that while there are technologies that can prevent ransomware from passing the email gateway, executing on the endpoint and propagating on file servers, nothing is hackproof.

And that means channel partners have an opportunity to help clients deal with the aftermath of a ransomware attack as well as work to prevent such events. Here, backup and disaster recovery services come into play.

Softchoice, Stines said, encourages customers to focus on an incident response plan and validate that data backup processes are operating as designed. He said he also encourages customers to test their data recovery capabilities to confirm that they can successfully restore from a backup if ransomware strikes.

The FBI, for its part, lists the implementation of a data backup and recovery plan among its recommendations for mitigating the risk of the ransomware threat. The bureau also cites employee training, antivirus software updates, and automated patching for operating systems and web browsers as other ransomware defense measures.

Kyle Bubp, security practice lead, VeriStorKyle Bubp

"Offerings such as backup as a service and disaster recovery as a service can be invaluable in helping customers recover quickly," Bubp noted.  "However, at the end of the day, it comes down to user education and awareness on how to identify malicious and phishing emails and what to do when they are received."

From user education to disaster recovery, there's plenty of room for channel partners to provide ransomware-related security services -- once they convince customers they need assistance. 

Next Steps

Learn more about thwarting ransomware

Read about VIPRE's partner strategy for its ransomware prevention product

Gain insight into dealing with ransomware in the healthcare vertical

Dig Deeper on Cybersecurity risk assessment and management