Possible Hostile Takeover - MSP Client

Looking for a little advice here.

I have a client that definitely wants to sign up with us as their MSP as the current MSP has mistreated them and quite frankly from the looks of things, did a piss poor job. (Have been working on trying to get this client for almost a year now)

I have given this client a checklist of things to ask of their current provider (usernames, passwords, configurations, etc) to which the current provider is not playing ball. My fear here after reviewing the network and the hodgepodge of things I Have found so far (Edge Router Lite, ProSafe Managed jgs524e switch, Panasonic Hybrid PBX TDA 50, Random Ubiquiti AP, and Synology 2 bay NAS) No info on usernames, passwords, IP addresses, none of the NOC (if you can call it that) is labeled etc, no VLANS info if it exists, etc, etc etc to ANYTHING at all. So my initial thought is this will have to be a hostile takeover.

That said, this would be my first hostile takeover if they don’t play ball. I’m guessing I should at least do a Rip and Replace or reset of the critical network devices (Router, Switch, etc), however, I worry about any special configs they had like VOIP VLANS etc etc.

I think I should approach the customer as such; “Your IT provider gave us zero info. In that case, I recommend replacing things that we don’t have info on or factory resetting these devices. It may cause some downtime for short periods of time as we work around it.” And just bill them by the hour until we get it set back up correctly with the correct documentation, and then move in for the MSP monthly pricing? Or should I do the hourly rate on the rip/replace/reset while having the nodes on the MSP at the same time? Is this even the correct way to handle this?

Thoughts? @LTS_Tom

Thanks in advance.

I would imagine the relationship is with your client not their customer, if you frame responses as above it WILL be your fault! Quote for the worst possible scenario, however, it sounds like the client wants you to resolve their issues and doesn’t want to know about your problems.

Oh boy good luck with that !

When we do hostile take overs it’s all billable and part of the on boarding process. We treat the ongoing MSP billing as a separate bill from the project.

When we look at onboarding a new client we scope it out and plan for any necessary “remediation”. If the required remediation is out outside our control aka no username/password this is outside the scope of the contract and is billable. If the remediation is simply us being picky depending on the effort we will absorb the cost.

That being said depending on the client’s location there are legal avenues the client may be able to take. In most places in the US it is illegal for a MSP to hold client information/data hostage, though there maybe some mitigating circumstances such as an outstanding balance from unpaid invoices.

Tom, Thanks for your insight. Do you have a video or plan on making one for take overs hostile or not?

I don’t think I have any on boarding videos, maybe one day.

Use some pen test tools to do discover what the previous vendor won’t tell you. Could at least reset passwords then go from there. Just a thought.

Don’t understand the thinking of some MSPs, gives the whole industry a bad rep. Our very own swamp.

MSP 360 has a free template for on boarding here https://www.msp360.com/download/whitepapers/msp-client-onboarding-form.pdf

I would recommend that the possible new client review the contract that is currently in place. Have them send a certified letter (with delivery notification) requesting the information. Have them follow it up with an email doing the same. If the information is not given then it can be a legal matter.

That said if you do have to do this as a hostile takeover then make sure you map out the network as best you can. Use some network mapping tools in fact use 2 different ones to make sure you have as much data as you can. If they are Office 365 customers make sure you remove them as the partner of record and update any users that have billing or admin access. Actually have everyone change their password.

Find out what MSP platform or other tools (Remote Access, AV, etc…) they are using. Make sure that you can remove their software without passwords or keys.

Remember that documentation is king. Make sure that every step you take is well documented.

Try not to suggesting getting lawyers involved, the letter is a good though. Work around the other guys is the best way to go and demonstrates to the client that your company has the skills needed to keep them [the client} up and running.

Apologies to kind of be off-topic here but does this type of thing happen frequently?

Update:

This has now become a pseudo hostile take over. With my coaching, my new client got “some” of the usernames/passwords. However, they were all user level. Zero admin based usernames/passwords, zero network maps or configs.

I dropped my Kali Pi off in the network and I was able to do a full mapping. I was able to see their password schema with the info they gave and brute force my way into about 1/2 of the network devices remotely. (Yes, I charged a lot for that)

With that full mapping, I found a lot of interesting things. I will say that this is a well known local IT company and they are severely lacking and a lot, to be kind. Weak password policies, IIS running on workstations for no good reason. A managed switch that appears to be a dumb switch (no need for VLANS since their phone system is not IP based) and none of the WiFi is VLAN based either. To further note, their DVR is port forwarded in (it’s old as dirt). Furthermore, the last company hosts their email (not web domain, just a DNS MX record pointing to their own servers etc) and every password for every account except for 1 is the same, and weak.

So far, I think we will keep the Edge router lite (Even though the DHCP Lease list doesn’t show half of what I discovered with the Kali Pi) and work them into upgrading that later. Since the switch looks to be a dumb switch or in dumb switch mode (have to investigate further on-site) we will keep that for now. The Synology NAS needs an onsite admin reset for they gave us only user-level access info, not admin.

The next phase is to go through every endpoint and make sure all of their stuff is removed, passwords changed, our tooling installed, etc.

Thanks to all of you for your advice! I Have documented this process carefully so we will be prepared to take over another one just like this and probably from the same IT company I bet.

This is our first hostile take over, but I don’t think it will be our last. What I Have learned is that you have to handle this very carefully so the outgoing IT company doesn’t get suspicious or malicious. My client got me some info, albeit not the best info. But armed with what I did have made it easier than having nothing at all. If I had nothing at all to go off of, I’d wager a rip and replace of every network device (router, switch, NAS, etc) - As long as the client would know and understand that unavoidable downtime would be imminent because of that. I’d try to minimize said downtime by working at night or on the weekends etc, but some downtime will almost always occur because you can not see any configs the last provider setup. Documentation of the expected downtime is needed.

Good work making a bad situation tolerable for your client.