How One MSP Negotiated ‘In The Early Days Of Ransomware’

“After some investigation and seeing what we could do, or decrypt, or get into or, or not… we just told them, ‘At this point, if this is your only copy of all of that stuff, you’ll have no other access to this data unless you pay the ransom,’” the executive at a New Mexico-based MSP tells CRN.

ARTICLE TITLE HERE

As ransomware attacks seem to be more and more frequent, one MSP, and its customer, got a taste of how bad it could be about eight years ago — before threat actors started to hit larger companies.

Samuel Beck, CIO of Document Technologies, an Albuquerque, New Mexico-based MSP, told CRN his story of how his customer, a court reporting business, was compromised by threat actors.

“Their main server where they kept all of the transcriptions, all of the court reporting transcriptions and all the reporting that they do got crypto locked,” he said. “They weren‘t using us for all their managed services at the time. They were just using us for managed print services.”

id
unit-1659132512259
type
Sponsored post

The company reached out to Document Technologies and explained their problem. They only had one server and no backups.

“After some investigation and seeing what we could do, or decrypt, or get into or, or not… we just told them, ‘At this point, if this is your only copy of all of that stuff, you’ll have no other access to this data unless you pay the ransom,’” Beck told CRN at The Channel Company’s Xchange+ August 2021 conference last week.

[Related: Hackers ‘Abusing’ Microsoft Exchange Server Vulnerabilities: Huntress]

Since Beck said it was “the early days of ransomware” the hackers only wanted about $1,200 at the time. Beck was able to negotiate, on behalf of the customer, to pay about half of that.

“They released the data, they gave them the decryption key and we got all their data back in time,” he said.

Beck looked at other avenues to take to get a decryptor tool without paying the ransom, but in the end the customer had to pay to access their data.

“It was a really small business and they were struggling with having to pay or just deal with the consequences,” he said.

Today, threat actors who compromise partners in the channel, and their end customers, are demanding millions in ransom payments. In the Kaseya ransomware attack in July, which compromised about 60 MPS and 1,500 end customers, the REVil gang­–those responsible for the attack­–had demanded up to $70 million in ransom.

The Russian-based gang demanded $5 million from larger companies, $500,000 form smaller firms with multiple locked file extensions, and $45,000 from smaller companies with locked files from the same extension.

In late July, Kaseya announced that it got its hands on a decryptor tool and did not pay a ransom in the wake of the attack.

“We went through all the scenarios with the customer. How much of this do you have in hardcopy? What do you have as backup? Do you have the recordings? Do you have the transcriptions? What can you do to recreate this data? What does it cost for you to do that?” Beck said. “It came down to just not having the resources. Just not the computer data and backup, but they didn‘t have what they would need to reproduce the recordings.”

Their operations didn’t stop, he said, but they were without that data for a month. Fortunately, they’re still a customer of Document Technologies today.

“They then realized that they needed to be backing up their data, and not just depending on the server,” he said. “Adding a backup appliance and cloud backup services to that server was the next obvious choice.”

Other security measures, like putting in a firewall, were also implemented as well. Conversations like this are happening with the MSP’s other customers as well. Security is also a conversation Beck is having with his vendor.

“As an MSP, we‘ve had to focus a lot more on are we secure as well for our customers, because we have inroads to all of our clients,” he said. “At the same time we have to put our clients first, So we are always assessing our security stack to see that we’re best protecting our customers where they sit now.”