15 Sep Managed service providers are ransomware hackers’ new gold …
ProPublica is a Pulitzer Prize-winning investigative newsroom. Sign up for The Big Story newsletter to receive stories like this one in your inbox.
On July 3, employees at Arbor Dental in Longview, Washington, noticed glitches in their computers and couldn’t view X-rays. Arbor was one of dozens of dental clinics in Oregon and Washington stymied by a ransomware attack that disrupted their business and blocked access to patients’ records.
But the hackers didn’t target the clinics directly. Instead, they infiltrated them by exploiting vulnerable cybersecurity at Portland-based PM Consultants Inc., which handled the dentists’ software updates, firewalls and data backups. Arbor’s frantic calls to PM went to voicemail, said Whitney Joy, the clinic’s office coordinator.
“The second it happened, they ghosted everybody,” she said. “They didn’t give us a heads up.”
A week later, PM sent an email to clients. “Due to the size and scale of the attack, we are not optimistic about the chances for a full or timely recovery,” it wrote. “At this time we must recommend you seek outside technical assistance with the recovery of your data.”
On July 22, PM notified clients in an email that it was shutting down, “in part due to this devastating event.” The contact phone number listed on PM’s website is disconnected, and the couple that managed the firm did not respond to messages left on their cellphones.
The attack on the dental clinics illustrates a new and worrisome frontier in ransomware — the targeting of managed service providers, or MSPs, to which local governments, medical clinics, and other small- and medium-sized businesses outsource their IT needs. While many MSPs offer reliable support and data storage, others have proven inexperienced or understaffed, unable to defend their own computer systems or help clients salvage files. As a result, cybercriminals profit by infiltrating dozens of businesses or public agencies with a single attack, while the beleaguered MSPs and their incapacitated clients squabble over who should pay the ransom or recovery costs.
Cost savings are the chief appeal of MSPs. It’s often cheaper and more convenient for towns and small businesses with limited technical needs to rely on an MSP rather than hire full-time IT employees. But those benefits are sometimes illusory. This year, attacks on MSPs have paralyzed thousands of small businesses and public agencies. Huntress Labs, a Maryland-based cybersecurity and software firm, has worked with about three dozen MSPs struck by ransomware this year, its executives said. In one incident, 4,200 computers were infected by ransomware through a single MSP.
Last month, hackers infiltrated MSPs in Texas and Wisconsin. An attack on TSM Consulting Services Inc. of Rockwall, Texas, crippled 22 cities and towns, while one on PerCSoft of West Allis, Wisconsin, deprived 400 dental practices around the country of access to electronic files, the Wisconsin Dental Association said in a letter to members. PerCSoft, which hackers penetrated through its cloud remote management software, said in a letter to victims that it had obtained a key to decrypt the ransomware, indicating that it likely paid a ransom. PerCSoft did not return a message seeking comment.
TSM referred questions about the Texas attack to the state’s Department of Information Resources, which referred questions to the FBI, which confirmed that the ransomware struck the towns through TSM. One of the 22 Texas municipalities has been hit by ransomware twice in the past year while using TSM’s services.
FBI spokeswoman Melinda Urbina acknowledged that MSPs are profitable targets for hackers. “Those are the targets they’re going after because they know that those individuals would be more apt to pay because they want to get those services back online for the public,” she said.
Beyond the individual victims, the MSPs’ shortcomings have a larger consequence. They foster the spread of ransomware, one of the world’s most common cybercrimes. By failing to provide clients with reliable backups or to maintain their own cybersecurity, and in some cases paying ransoms when alternatives are available, they may in effect reward criminals and give them an incentive to strike again. This year, ProPublica has reported on other industries in the ransomware economy, such as data recovery and insurance, which also have enriched ransomware hackers.
To get inside MSPs, attackers have capitalized on security lapses such as weak passwords and failure to use two-factor authentication. In Wisconsin and elsewhere, they also have exploited vulnerabilities in “remote monitoring and management” software that the firms use to install computer updates and handle clients’ other IT needs. Even when patches for such vulnerabilities are available, MSPs sometimes haven’t installed them.
The remote management tools are like “golden keys to immediately distribute ransomware,” said Huntress CEO Kyle Hanslovan. “Just like how you’d want to push a patch at lightning speed, it turns out you can push out ransomware at lightning speed as well.”
Otherwise, the hacker may spread the ransomware manually, infecting computers one at a time using software that normally allows MSP technicians to remotely view and click around on a client’s screen to resolve an IT problem, Hanslovan said. One Huntress client had the “record session” feature of this software automatically enabled. By watching those recordings following the attack, Huntress was able to view exactly how the hacker installed and tracked ransomware on the machines.
In some cases, Hanslovan said, MSPs have failed to save and store backup files properly for clients who paid specifically for that service so that systems would be restored in the event of an attack. Instead, the MSPs may have relied on low-cost and insufficient backup solutions, he said. Last month, he said, Huntress worked with an MSP whose clients’ computers and backup files were encrypted in a ransomware attack. The only way to restore the files was to pay the ransom, Hanslovan said.
Even when backups are available, MSPs sometimes prefer to pay the ransom. Hackers have…