The State of Ransomware Attacks in the IT Services Industry

From cloud backup to consulting to managed detection and response, businesses of all sizes leverage a number of IT services. These services add value to organizations through cost-effective outsourcing, unique operational capabilities, or specialized knowledge. 

An IT service provider’s operations are tightly intertwined with the networks of many businesses simultaneously. Ransomware attacks on IT service providers have the potential to disrupt operations not only for the direct target organization, but for all its downstream customers too. This article looks at the state of ransomware in IT services by focusing on recent attacks and suggested countermeasures to combat this pervasive threat. 

Ransomware: An Increasingly Expensive Problem

More threat actors continue to enter the fray and target organizations with malware that locks their systems and data down via encryption. Access to locked-down assets is not returned until a specified ransom payment is made with cryptocurrency. 

The perception among cybercriminals is that ransomware attacks have a high probability of monetary gain.  Recent statistics back up this perception—the average ransomware payment increased by 82 percent to $570,000 in the first half of 2021.

Ransomware attacks on IT services can be particularly harmful due to their downstream impact. Often, the customers of IT services are small and medium-sized businesses that lack in-house capabilities for business functions and technologies, such as disaster recovery or detection and response. IT services providers regularly have trusted access to customer networks, and hackers increasingly recognize just how lucrative it can be to conduct a successful ransomware attack on these companies. 

Recent Ransomware Attacks on IT Service Providers 

Accenture, August 2021

Accenture provinces a range of IT consulting and services generating billions of dollars in revenue in over 120 countries. In August 2021, news of a ransomware incident affecting Accenture emerged. The company was hit by LockBit ransomware, which can encrypt thousands of files in seconds by exploiting protocols and tools like PowerShell.

A CNBC reporter originally disclosed the attack, which Accenture later confirmed. The multi-billion dollar company downplayed the impact of the ransomware incident, saying, “There was no impact on Accenture’s operations, or on our clients’ systems.” These public statements seem to contradict the threat actors claims that they stole six terabytes of data and compromised 2,500 computers.

Kaseya, July 2021

One of 2021’s biggest ransomware incidents struck the managed IT services sector in July. Kaseya is a vendor providing IT management software for managed services providers (MSPs). Threat actors from the REvil gang exploited security vulnerabilities in Kaseya’s VSA remote monitoring software and released a malicious security patch that infected up to 40,000 computers at over 1,000 companies with ransomware. 

The Kaseya incident was a supply chain attack because it leveraged a vulnerability in the software supply chain to impact many downstream customers of managed service providers. The attack caused such chaos that it resulted in the temporary closure of the Swedish grocery chain Coop’s 550 stores. Coop outsourced some IT services to an MSP, and that MSP was affected by the malicious patch in Kaseya’s VSA software. 

Swiss Cloud, April 2021 

In late April 2021, Swedish cloud hosting provider Swiss Cloud became the victim of a ransomware attack that took down its infrastructure. Up to 6,500 companies were directly impacted by the attack because they depended on Swiss Cloud to host their websites, run applications, or share files. 

The response to the attack was to engage in a swift restoration of the company’s server infrastructure. Statements released in the incident’s aftermath mentioned engaging with HPE and Microsoft to help restore servers from backups. Swiss Cloud’s employees worked around the clock to eventually restore the server infrastructure over the course of a few days. 

Managed.com, November 2020

Managed.com provides managed web hosting solutions for website owners. In a world where eCommerce is a well-established business model, any website outage can directly result in lost revenue for affected businesses. The November 2020 incident was a ransomware attack targeting Managed.com’s public-facing web hosting systems.

Several Managed.com customers had data on their sites locked down by encryption because of the attack. The affected websites were taken offline shortly followed by Managed.com’s entire web hosting infrastructure. The company only disclosed the attack after angry customers contacted them about their websites not being available. REvil was behind this incident, and the group demanded a $500,00 ransom payment.

Cognizant, April 2020

Cognizant is another multi-billion-dollar IT services company that became the victim of a ransomware attackon its internal network in April 2020. The company’s CEO said that the incident impacted internal services meant to facilitate remote work arrangements for Cognizant employees. The internal operational disruption meant that remote workers had to communicate using alternative methods. 

However, Cognizant customers became fearful of the attack spreading to their own networks when Cognizant issued alerts urging clients to block traffic for a list of specific IP addresses. Aside from the costs of cleaning up infected systems and restoring full services, Cognizant faced the significant challenge of maintaining customer trust in the aftermath of the attack. 

Lessons Learned for IT Services

Here are some of the main lessons learned from the attacks on IT services providers in terms of combatting the threat of ransomware. 

Transparency is Important

There was a disturbing lack of transparency in some of the ransomware incidents affecting IT services providers. One possible reason for this is that the nature of IT services is such that companies don’t want to alarm customers and cause a run on their support teams. However, it’s almost always better to be upfront and honest about cybersecurity incidents that directly affect your customers. 

An interesting thread on a popular web hosting forum about the Managed.com incident demonstrated the reputational impact of not showing sufficient transparency. One user wrote that “a certain amount of transparency and letting their customers know a basic game plan would have alleviated some of the anxiety”. Several users in this thread mentioned switching to a different hosting provider due to this lack of transparency and uncertainty over when their websites would be back online. 

The Ripple Effect

When ransomware strikes IT services companies, it has a ripple effect that can hit thousands of customers at once. The ripple effect is the reason that threat actors can demand huge ransoms, such as the $70 million demanded after the Kaseya attack. This ripple effect is also the cause of huge financial losses, such as the $50-70 million anticipated following the Cognizant incident

As the interface and point of connectivity with many customer networks, it’s clear that threat actors see dollar signs when they consider IT services as potential ransomware targets.  

Having A Functional Business Continuity Plan

For the IT service companies that were able to restore operations quickly in the aftermath of a ransomware attack, it’s clear a functional business continuity plan played a key role. This business continuity plan should include the use of data backup and the ability to replicate server infrastructure using images and cloud computing. It’s particularly important for IT services that their infrastructure is not offline for extended periods because the downstream effects tend to hit multiple customers. 

Closing Thoughts

Going forward, IT services companies should expect to be directly targeted by cybercrime groups seeking to cause maximum damage to multiple businesses in one fell swoop and benefit from a large ransom payment.  Learn the lessons from the high-profile incidents above and put in place tools and strategies that protect both your business and your valuable customers. 

Phishing remains a persistent attack vector for threat actors to gain a foothold in a company’s network. Make sure you’re protected against phishing by using advanced email security and simulated phishing attacks. 

To learn more about IRONSCALES’ award-winning anti-phishing solution, please sign up for a demo today at https://ironscales.com/get-a-demo/.