Ransomware is bad enough, but ransomware infecting your precious remote monitoring and management platform is a true nightmare. But that’s the battle managed services providers are increasingly fighting, according to Toronto data protection firm Asigra.
The company recently issued a stern warning to partners and customers that RMM platforms with integrated backup were at significant risk of being infected by ransomware.
“In many technology segments, the centralization of computing processes provides great value. However, tight integration of RMM and data protection is an area where extreme caution is warranted when it comes to backup/recovery design,” Eran Farajun, Asigra’s executive vice-president, said in the statement. “The density of high-value data in many RMM environments is too alluring for criminal hackers to avoid, making it incumbent upon the MSP to architect a bulletproof data recovery model. For the strongest protection, services professionals are advised to disentangle RMM and backup to ensure system recoverability.”
This is easier said than done, according to Marc Staimer, principal analyst for DragonSlayer Consulting, who said he’s been writing about the vulnerabilities since last October. Two MSPs contacted him last year – neither was from Canada, he confirmed – that had been hit by ransomware after it detonated in their backups.
The cost savings associated with merging backups with RMM are too high for most MSPs to ignore, and until now, the risks weren’t very obvious. But ransomware has evolved since 2018, and what was once just a consumer threat has now morphed into a business-hunting virus.
Security firm Malwarebytes’s 2019 report on ransomware says that between Q2 2018 and Q2 2019, the number of ransomware detections in business environments rose by 365 per cent, while consumer detections declined.
“It’s the machine-equivalent of the coronavirus,” said Staimer. “And I’m in no way suggesting that MSPs shouldn’t use RMM because RMM is a huge time saver, a people saver and a cost saver. But what I am suggesting is don’t necessarily run your data protection integrated with your RMM. If they’re decoupled, it’s another step that a cybercriminal has to take to be able to neuter your defence against ransomware.”
But it doesn’t take much for ransomware to worm its way into RMM.
As an example, Staimer explained, the hacker may send an urgent text or email that’s signed by a manager or company executive. The message contains a link that downloads the ransomware or malware. Then voila, once the RMM platform is compromised, so is the integrated backup, and now the entire MSP client base is under dire threat.
And according to Staimer, it doesn’t matter if you’re backing up through the cloud or on-premises – cybercriminals want that cash, so expect the situation to get worse for MSPs. But he said there is plenty MSPs can do to minimize exposure to these threats. Topping the list of suggestions is employee training around the risks. Second, consider installing anti-ransomware solutions that can sniff out ransomware that’s lying dormant in backups, and lastly, pick up the phone every once in a while to confirm that it was indeed Joe the Manager who emailed you that urgent message.