Michael Crean. PHOTO: Stellar Cyber.

An MSSP Shares the Latest in Ransomware: What’s Up, and What to Do About It

What are the major trends in ransomware today?

Stephen Salinas, Head of Product Marketing, Stellar Cyber

San Jose, Calif. – Apr. 24, 2024

Everyone has been concerned with ransomware for years now, but the landscape is always changing, so it’s important to stay up on the latest trends. Stephen Salinas, Stellar Cyber head of product marketing, sat down with Michael Crean, founder of MSSP Solutions Granted and now senior vice president of Managed Security Services at SonicWall, to get his perspective.

Stephen Salinas: What are the big trends in ransomware today?

Michael Crean: Our threat research team is seeing that ransomware numbers in North America are declining. I think there are a lot of reasons behind that. First, the community (the target) is getting smarter: they’re getting better with their people and their processes. And the technology out there to help defend against ransomware is becoming much more efficient and faster acting.

But really, I think another reason for the decline is that the threat actors are more exposed now. They’re doing something illegal to get free money out of us. Because of the Colonial Pipeline breach and other large compromises that have taken place, our government, Interpol, and other world governments are either banding together or independently going after some of these threat actors and taking action against them. The bad guys are now on our radar — the hunters have become targets as well.

So as a bad guy, what are you going to do? Well, I don’t want to stop getting the money, so I’ve got to find another way to do it. One of the things we’re seeing is crypto-jacking, the crypto-mining capability. That is absolutely exploding right now, and it’s a hard thing to detect. Think about it: somebody’s gotten a foothold into your system, and they’ve turned your computer into their crypto-mining bot. It’s no longer really about destroying the machine, because the bot isn’t destroying the data. They’re not doing anything that hurts the machine, other than taking valuable resources, and, man, that’s a hard thing to detect. It drives people crazy.

It’s like, “Hey, I know I’ve got that squeak that’s coming out of the back of my car, but, for the life of me, I can’t figure out where it’s coming from. I don’t know why it’s doing it.” You know your machine’s running slow. You know it’s not performing optimally. You know that you’re taking longer to get sites on the internet than it normally takes. And you’re doing all of the normal things.

The first reaction is to turn the machine off and then turn it on again. That’s what we’ve been trained to do, and we’re just trying to find something that works. Over time, we’ve built a better mousetrap to catch hackers, but the mice have gotten smarter. We have to continually evolve with them to make sure that we’re getting ahead of this style of attack. It’s not as devastating as ransomware, but it can certainly be as costly, if not more costly, when you think about the lost productivity that comes with it.

Stephen Salinas: Yeah, it’s an interesting type of attack because, as you say, it’s not stealing data; it’s stealing resources. They’re getting free resources. And especially if you’re using a cloud environment, you might get that bill and think, “Whoa, what happened?” It can be invisible to us. So, how can your company and your services help? Is that something you guys can help detect? How does someone protect themselves against something like that?

Michael Crean: Anytime you have a good MDR service that’s backed with a true, live, hands-on-the keyboard, eyes-on-the glass SOC, they’ve got threat hunters and they’re looking for suspicious or malicious behaviors, looking for those processes that are spinning up that are really unexplainable. They think “Why is this process starting?” And even when we’re looking for it, what we’re seeing is that they’re doing it really creatively, and they’re doing it during the off hours. If you want to rob somebody’s house, do you do it in the middle of the day when they’re home? No, you do it when they’ve gone out, or they’ve put it on social media: “Hey, I’m going to Japan for a week.”

As businesses, we constantly advertise those downtimes to everyone: “Our business hours are….” but they’re not shutting their computers down when they’re not around. So, we look for additional processes that are taking place in the off hours, looking for system resources that are doing things when, in reality, that should be the lowest time of use. If you’re monitoring the firewall with a SOC and looking for bandwidth utilization that’s taking place, and you’re getting those logs, and you’re seeing this spike in bandwidth that’s happening in the middle of the night when nobody is there, those are really great indicators that there is something going on, that this compromise is starting to happen. And you need to take a look — you need to investigate it and get into it a little bit thicker.

Stephen Salinas: Yeah, that makes total sense. Something else we’re seeing right now, especially with economic uncertainty and organizations looking where they might be able to reallocate budgets, is that a lot of security teams and security leaders are thinking, “Maybe now’s the time I should look at outsourcing some or all of my security services.” What tips or recommendations would you give someone in that position right now?

Michael Crean: First of all — and we’ve known this for a while — it isn’t just now; we’ve seen the job shortages for years. There just aren’t enough people to fill all the cybersecurity jobs out there. And even when you do get this great and amazing talent that you can afford, some behemoth of a company comes in and doubles their salary and steals them away, because they’re looking for those same resources that everybody else is looking for. So, what do you do?

There are a couple paths to the top of the mountain here:

One solution is to build out your security team. It’s super-expensive, it takes a long time, and it’s highly volatile. Because if these people are great, somebody’s probably going to be able to pay them more than you’re willing to pay them. So, the “build it way” may not be the right way. You could also go buy a pre-existing security team.

But I think the better way of doing this is partnering with somebody. Finding an MSSP, a master managed security services provider, somebody who’s got enough resources so that, one, they might partner with you the way we partner, with a cost per seat per month, no annual commitments and no minimums. MSSPs should try to make it easy on the buyer.

Just remember that when you’re outsourcing, though, you can’t absolve yourself of your responsibilities. You can’t say, “Okay, I’ve partnered with somebody and now, it’s all on them.” Because you still have a responsibility. This is a team effort, and you still have to do all the necessary things. You’ve still got to do patch management. You’ve still got to make sure you’re taking admin rights to the machine away from users and customers. You’ve got to make sure that you’re using MFA. You’ve also got to make sure that you’ve enabled conditional access.

If you’re going to partner, make sure you’re a part of the team, part of the success. All of the things that you needed to do in those functional pieces to harden your security still need to be done. And if you do them, it will actually make the MSSP or the SOC’s job a lot easier because you’ll be getting rid of some of the noise that’s taking place — instead of having to go through 800 pounds of stuff, maybe your partner only has to go through 600 pounds of stuff. If so, you can get to the really important thing that’s happening and act on it a little quicker.

Stephen Salinas: Congratulations on being acquired by SonicWall. I think a lot of folks watching this might also want to understand what that means for your organization. What do you see coming down the road, and how this can benefit your customers or prospective customers?

Michael Crean: Sure. First and foremost, I want to thank my channel. The journey that we came to in November of last year wasn’t possible without them. Without you, and your trust, your faith, and the love that you showed for Solutions Granted, we would never have gotten here. I think most owners and founders are looking for that exit, whatever it may look like. And we all hope it’s the light at the end of the tunnel that has this great, wonderful moment, and not the train running us over. For us, it really was. We’re coming up on five months since the acquisition took place.

I wanted to have something that I could be proud of, something I could continue to build. But, also, I wanted something that I could be in charge of. I wanted to effect change, and on a larger scale. We were supporting a little over 1,000 MSPs at the time of this acquisition — well north of a quarter of a million devices out there that we were monitoring, or managing, or maintaining, and keeping that ever-watchful eye on, and helping our partners’ clients sleep safe at night. Under the SonicWall name, we went from a little over 1,000 to 17,000 partners overnight, and we went from a North America-based organization to a global organization.

SonicWall has given me the ability to continue to be creative, but I no longer have to think about HR issues like payroll, or taxes. So, I get all of the best parts of being in charge of something, but not being in charge of everything, and having a much bigger team supporting us.

In the last four months, we’ve gotten a SentinelOne MDR offering. We’ve gotten a Windows Defender MDR offering. And we’ve gotten the SonicWall Capture Client MDR offering. And we’re still continuing to do everything with a cost-per-seat-per-month with no annual commitments and no minimums — that’s not changing; we’re doing that globally now. We’re continuing to support our partners and meet them on their journey wherever they are. We’re SonicWall, and we have firewalls and networking equipment. But we are going to continue to do our SOC services around Bordernet, and Check Point, and Palo Alto, and WatchGuard, and Cisco, and Meraki and pfSense. There are lots of others that I’m probably not mentioning, but the list is long; no disrespect to anybody, but I’m probably forgetting somebody I probably wished I hadn’t.

So, we’re not done. It’ll be really interesting to see what we announce here in the next 30 to 60 days as to what our next MDR offering is going to look like, and how we’re going to continue to have this open ecosystem. We’re also actively building out our security operations center in EMEA. We’ve got all of these amazing partners over there, but they want their data to stay there. They want that data governance. They want that data residency. They want all of the things that they should have over there. So, we’ve hired our European SOC leader, and we’re in the process of hiring out a new team. It doesn’t mean that we’re going to be sending anything away from North America, because we’re going to continue to staff and stay here 24/7/365. But for the same reasons that our North American partners want us to be here, the European partners want us to be there.

And never in my wildest dreams, as the CEO and founder of Solutions Granted, did I think I’d have enough money, time, resources, and enough help to be able to start going global like this so quickly.  We’re targeting 1 July to have our EMEA SOC live and operational. So, we’re working hard. I’ve said that the SonicWall board and CEO have given me all the rope in the world that I need to hang myself, and they haven’t put any handcuffs on me. So, I better do it right, and keep servicing this community, and helping those that really need the help.

Stephen Salinas: Wow, that sounds really exciting. Sounds like you can really focus on improving the services and expanding what you can offer. That’s awesome. If anyone wants to learn more about what’s going on at SonicWall now, where should they go? And where can they find you guys?

Michael Crean: You can go to www.sonicwall.com; it’s a great place to start. The Solutions Granted website is still up, so you can go to www.solutionsgranted.com. Send us an email, hit us up on Teams. Our phone numbers still exist; they’re all still ringing in. Our Solutions Granted emails still work. Those migrations are taking place, but none of it is going away anytime soon. Or you can meet us on the road.

Stephen Salinas: Well, Michael, thanks for your time today. It’s been a great little discussion here. If anyone has any questions about Stellar Cyber, please reach out to us. You can visit us on our website, request a demo, or request a meeting with some of our security experts to see how we might be able to help you in your security journey. With that, we’ll sign off today. Again, thanks for your time, Michael, and have a great day everyone.

– Stephen Salinas is the head of product marketing at Stellar Cyber.

About Stellar Cyber

Stellar Cyber’s Open XDR Platform delivers comprehensive, unified security without complexity, empowering lean security teams of any skill level to secure their environments successfully. With Stellar Cyber, organizations reduce risk with early and precise identification and remediation of threats while slashing costs, retaining investments in existing tools, and improving analyst productivity, delivering an 8X improvement in MTTD and a 20X improvement in MTTR. The company is based in Silicon Valley. For more information, visit https://stellarcyber.ai.