Despite the apparent stepdown by GandCrab this May, strikingly similar-looking attacks have continued to hit businesses and MSPs worldwide. GandCrab is a particularly notorious example of ransomware-as-a-service (RaaS), which, although officially retired following a one-and-a-half-year bout of attacks active since January 2018, seems to be back with a ferocious appetite.
Some in the cybersecurity community feel that GandCrab has not been retired and has simply taken on a new face – known variously as Sodinokibi, Sodin or REvil. When stepping a bit away from this discussion on attribution and evolution, what is clear is that the Sodinokibi ransomware, with all its similarities, is an up-and-coming threat to MSPs. ESET created its first detection for Win32/Filecoder.Sodinokibi in May.
In a recent survey* by ESET, 61% of MSPs identified ransomware as one of the greatest security challenges they have ever encountered, and for good reason. Sodinokibi ransomware has breached MSP defenses on at least three distinct occasions in which it pushed out its malware to unsuspecting clients. The havoc wrecked by Sodinokibi has been significant, and MSPs are well-advised to take seriously the lessons learned by fellow players in the industry.
In the first case, hackers exploited the Remote Desktop Protocol (RDP) of at least three MSPs to gain access to their remote monitoring and management (RMM) tools. From this vantage point, the attackers were able to uninstall client endpoint protection solutions and push out the Sodinokibi ransomware.
While having a robust backup system in place would normally mitigate the damage from this kind of attack, the second Sodinokibi breach showed otherwise. DDS Safe, a data backup solution that was providing remote backup services to dental offices, was also impacted. Despite the dental offices’ backup to cloud, offline, and in-office locations, Sodinokibi still managed to encrypt the data of connected client systems, leaving customers without access to their backups.
Finally, in the most recently reported MSP breach, Sodinokibi compromised another RMM tool and encrypted client data in 22 different networks in the U.S. state of Texas.
The takeaway in each case is the same. Since Sodinokibi infected clients by hijacking their MSPs’ remote administration dashboards, MSPs need to better enforce two-factor authentication (2FA). 2FA requires a one-time code on top of the usual login credentials to ensure that the user trying to gain access to an RMM dashboard is truly authorized.
Anti-ransomware best practices
In addition to enforcing 2FA policies, review these points to build better defenses for your MSP:
- Use a Direct Endpoint Management Plugin to simplify the security administration functions of your clients’ environments.
- Disable or change the default port for RDP on machines that do not need this protocol.
- For machines that need RDP running, password protect the security solution that is installed on all endpoints. This will prevent hackers from uninstalling or disabling endpoint protection.
- Use a different password from your RDP login credentials to protect your security solution.
- Implement a backup solution for all critical data, including at least one backup offline.
With ransomware being one of the most prevalent threats facing MSPs and their clients, it is a good idea to track these developments and the practices used to mitigate the related issues.
MSPs can check out ESET’s MSP offer here, while concerned SMBs can find resources here.
* ESET polled 488 MSP partners in 14 countries during July 2019 via an online questionnaire.