The ransomware threat landscape has evolved significantly, with variants like Medusa emerging as sophisticated ransomware-as-a-service (RaaS) threats. These threats have impacted over 300 victims globally across sectors such as healthcare, education, and technology. This evolving landscape underscores the urgent need for organizations to rigorously evaluate their cybersecurity strategies and ensure accountability in their selection of managed service providers (MSPs).

Medusa Ransomware: A Growing Threat

The FBI and CISA's joint advisory on Medusa ransomware provides critical insights into the tactics, techniques, and procedures (TTPs) employed by this threat. Medusa utilizes a double extortion model, encrypting data and threatening to release it publicly if ransoms are not paid. This advisory highlights the importance of implementing multi-factor authentication (MFA) for webmail services and VPNs, as these are common entry points for ransomware attacks. The use of MFA can significantly reduce the risk of unauthorized access.

Medusa actors are known to exploit unpatched software vulnerabilities and use phishing campaigns to gain initial access. Once inside a network, they employ advanced techniques such as living off the land (LOTL) tactics, leveraging legitimate tools like PowerShell and remote access software to move laterally and avoid detection.

The LanTech Case: A Cautionary Tale

In February 2023, Mastagni Holstedt, A.P.C., a prominent Sacramento law firm, suffered a ransomware attack by the Black Basta group, resulting in the loss of access to its network. While this case involved Black Basta, it serves as a cautionary tale for any organization facing ransomware threats, including those posed by groups like Medusa. The firm filed a lawsuit against its MSP, LanTech LLC, seeking over $1 million in damages. The lawsuit alleges that LanTech failed to provide adequate cybersecurity protections, which led to the firm's data being encrypted and its cloud-based backups deleted. This case highlights the potential legal and financial consequences when service providers fail to meet their cybersecurity obligations.

Key Considerations for MSAs and SOWs

To hold service providers accountable and mitigate risks associated with cybersecurity failures, organizations should focus on several key elements when drafting contracts:

1. Detailed Security Responsibilities: Contracts should clearly outline the provider's responsibilities in maintaining cybersecurity, including specific tasks such as regular software updates, patch management, and network monitoring. This clarity ensures that both parties understand their obligations and can be held accountable for any lapses.
2. Performance Standards and SLAs: Establish specific performance standards and Service Level Agreements (SLAs) that define acceptable levels of service and response times for security incidents. These metrics provide a basis for evaluating performance and enforcing accountability.
3. Incident Response and Reporting Protocols: Include detailed protocols for incident response, including timelines for notification and reporting of security breaches. This ensures that organizations can respond swiftly to minimize damage and comply with regulatory requirements.
4. Regular Security Audits and Assessments: Require regular security audits and assessments, with findings reported to the organization. This proactive approach helps identify vulnerabilities and ensures continuous improvement in security measures.
5. Indemnification and Liability Clauses: Clearly define indemnification and liability clauses to protect the organization from financial losses due to negligence. These clauses should specify the circumstances under which parties are liable for damages and any caps on liability.
6. Data Protection and Backup Responsibilities: Explicitly state responsibilities regarding data protection and backup, including encryption, regular backups, and testing of backup restoration processes. This ensures that data can be recovered in the event of a ransomware attack.
7. Termination and Exit Strategy: Define conditions under which the contract can be terminated, including failure to meet security obligations. An exit strategy should also be included to ensure a smooth transition to another provider if necessary.

Lessons from the LanTech Case

The LanTech case illustrates the pitfalls of not having a written contract. An oral agreement lacks the specificity needed to clearly define roles, responsibilities, and liabilities. This ambiguity complicates legal proceedings and makes it challenging to hold parties accountable. Moreover, the case highlights the importance of advising clients on best practices, such as implementing multi-factor authentication and maintaining offline backups. The failure to recommend or implement these measures contributed to the severity of the ransomware attack on Mastagni.

Conclusion

The Medusa ransomware threat and the LanTech case highlight the critical importance of basic cybersecurity hygiene and ensuring service providers are accountable for implementing the cybersecurity measures for which they are contracted. By incorporating comprehensive and enforceable terms in MSAs and SOWs, organizations can better protect themselves from the financial and reputational damage associated with ransomware attacks. 

As cyber threats continue to evolve, businesses must remain vigilant and proactive in their approach to cybersecurity, ensuring that their service providers are true partners in safeguarding their digital assets. The time to act is now, before the next ransomware threat strikes.

For assistance in drafting and reviewing your MSP contracts, contact the Cybersecurity and Data Privacy Practice Group at cyber@bipc.com