When a Managed Service Provider (MSP) is a victim of cybercrime, the scope of damage can be vast. Most MSPs are using Remote Management and Monitoring (RMM) tools to allow them to provide quick and effective service remotely, instead of needing to get an employee on-site for every little fix. These tools, and their function as Remote Access Tools (RATs) in particular, means that if a cyber criminal gains full access to the MSP’s RMM tool, the threat actor can have full access to every system for every client. Last year, we assisted an MSP that was the victim of cybercrime.
In this particular case, the ransomware known as “Gandcrab” was deployed to all managed systems through one of the MSP’s RMMs.
Unfortunately, all managed systems included every client production machine, every client backup server, all machines owned and operated by the MSP for their internal use, and their servers hosting remote copies of backups.
There were 36 affected clients that needed help, and every single one was down. The MSP simply didn’t have enough manpower to assist every client and was so over-worked that they had to turn off their main phone line.
After reviewing a list of clients affected by the ransomware, Tetra made the decision that we needed to engage each client individually to most efficiently remediate the problem. This allowed Tetra to get a deep understanding of each client’s setup, needs, and most critical systems. It also allowed Tetra to break the clients up into groups and assign both its employees and the MSP’s employees as the primary leads, letting the strengths of each team member work best with the unique situations of each client. Additionally, scoping each client individually allowed for rapid assessment of how many machines truly needed decryption, which gave Tetra substantial leverage in negotiating a potential ransom payment.
For some clients, the solution was simple. For more complicated clients, it could’ve taken hours to manually identify each key encrypting data on a critical system. For those clients, Tetra turned to its development team:
In less than an hour, Tetra’s developers wrote custom software to automatically identify all encryption keys on all critical systems. This dramatically reduced both Digital Forensics and Incident Response team member billable hours and the amount of time it took come to a conclusion on how many keys need to be negotiated for.
While the cyber criminal may identify thousands of keys, our programming determined only the critical keys needed. Tetra was able to keep ransom payment costs to a minimum, and helped each individual client get back up and running.