A 2020 report from Datto asked several key questions of 1,000 managed service providers (MSPs) from across the world. The report, created during the 2020 Covid-19 pandemic, focuses on the scourge of business…ransomware. The key questions in the report look at how the increase in remote work and cloud computing due to the virus has affected ransomware trends.
Our two-part series will look at the findings of Datto’s “Global State of the Channel Ransomware Report”.
Cybercrime as a business and key report takeaway
One of the overriding findings of the report is that cybercrime is now big business. As such, the cybercriminal ‘directors’ of that business, run it as a slick operation to maximize revenue. This translates to an agile approach to ransomware targeting. Datto found that during the Covid-pandemic, fraudsters have seen ransomware as a “numbers game”. By focusing on larger SMBs, the probability of a more successful outcome is greater – a good tactic for “tough economic times”.
With is in mind, some of the key takeaways from the report are:
- Remote work has increased ransomware attacks according to 59 percent of surveyed MSPs.
- 52 percent of MSPs said that the shift of workloads to the cloud opened up security vulnerabilities.
- Ransomware is still the number one threat with 70 percent of SMBs experiencing a ransomware threat.
- Ransomware targets not just the SMB but the MSP too, with 95 percent of MSPs agreeing that their business has been at increased risk of ransomware.
- Phishing remains the top attack vector. This finding is in line with other research such as the Verizon Data Breach Investigations Report (DBIR) and the State of the Phish
- MSPs have reported the average cost of downtime is up by an amazing 94 percent from 2019 figures.
- MSPs reported that clients using business continuity and disaster recovery (BCDR) solutions were less likely to suffer severe downtime after a ransomware attack.
The industry perspective
In the first half of 2020, 60 percent of MSPs reported ransomware attacks on clients, 11% of these experienced multiple attacks in a single day. These attacks, whilst spread across industry sectors, saw some industries more targeted than others. The top five most targeted industries for ransomware are:
- Healthcare (59 percent)
- Finance/insurance (5 percent)
- Government (45 percent)
- Professional Services (41 percent)
- Education (36 percent)
The report believes that the reason for healthcare being in the top spot was that the sector was already weakened because of dealing with the pandemic. This fits with the notion that the cybercriminals behind ransomware are looking for a good Return on Investment (ROI): Healthcare offers an easy, low hanging fruit, with a higher probability of success.
The MSP as a ransomware target
One clear finding from the report is that cybercriminals are not just targeting the SMB. MSPs are firmly in the sights of ransomware attacks. Almost all of the MSPs interviewed believe that MSPs are likely targets for ransomware. Datto understands this concern stems from recent high-profile ransomware incidents. An example is the attack on Universal Health Services (UHS). Attacks like this often begin with stolen credentials taken from an MSP targeted by a phishing campaign. These credentials are then used to infiltrate the client network and install ransomware.
What ransomware is out there?
The Datto report looked at the type of ransomware behind attacks. The most common ransomware is an older, well-established variant called Cryptolocker, now in its 7th year of causing harm. The other top ransomware variants Datto identified are:
- WannaCry: Famous for the global ransomware attack of 2018
- CryptoWall: Used in ‘malvertising’ – ads containing malware – as found on Disney, Facebook, and The Guardian newspaper websites, amongst others.
- Locky: Found in Microsoft Word documents delivered via email.
- Emotet: Often used in combination with another malware variant, Trickbot, both used in many healthcare ransomware attacks.
The big ransomware question: How to bridge the SMB and MSP ransomware disconnect
One of the concerning findings from the report was the ‘ransomware disconnect’ between MSP and SMB. Whereas a full 84% of MSPs feel ‘very concerned’ that all businesses are at threat of a ransomware attack, only 30% of clients are worried about being victims of ransomware.
How this gap is bridged, is a key issue across managed services. However, the uptick in ransomware attacks and the severity of downtime and ransom costs may shift client focus.
Increasing awareness of cybersecurity impact has meant that client cybersecurity budgets have increased by 50% in 2020. This situation is being reflected by other industry voices. McKinsey, for example, has said on the subject of cybersecurity budgets that:
“crisis-inspired security measures will remain top budget priorities in the third and fourth quarters of 2020.” also expect “significant increase in 2021”:
The tripartite of ransomware prevention
The report focuses on several areas that lead to ransomware infection, the top three causes being:
The number one way that ransomware infection occurs is via phishing emails. The ransomware may enter the network via a phishing email or an infected website. Once installed, the malware soon propagates across the entire network including cloud repositories.
Poor user practices
Lack of security hygiene is another top way that ransomware infects networks. This comes in many forms including password sharing.
Lack of end-user cybersecurity training
Poor security hygiene is part of a general lack of cybersecurity awareness amongst employees leading to ransomware infection. The report recommends that companies should deliver mandatory cybersecurity training to all employees, allowing them to spot tell-tale signing of phishing, etc.
Other main threat areas identified in the report were:
- Weak passwords/access management
- Open RDP (remote desktop) access
- Malicious websites
- Lost/stolen user credentials
- Lack of IT security funding
- Lack of executive buy-in for security solutions
The disconnect in the importance of ransomware threats between the MSP and SMB is perhaps one of the most enlightening aspects of the Datto report. The impact of ransomware is well-established. But figuring out the best route to fixing this problem must be a cohesive effort between MSP and client. Using the Datto report to highlight the prevalence of ransomware and its impact, once infected, can help to bridge this gap.
Part 2 of this review of the Datto report, will explore the impact of ransomware on a business and what cybersecurity tools are the best at mitigating the threat of ransomware.