RMM platforms with integrated backup will be ongoing attack vector for ransomware in 2020 warns Asigra
- Published: Friday, 21 February 2020 08:32
Asigra Inc., has released a bulletin to the company's global network of managed service providers warning of the growing ransomware threat to remote monitoring and management (RMM) platforms as an incessant stream of insidious malware variants put solution provider and end-customer applications and data at significant risk.
RMM software helps managed IT service providers (MSPs) remotely and proactively monitor client endpoints, networks and computers. It was historically called remote IT management. Deploying RMM requires an agent installed on client servers, hypervisors, workstations, networking devices, laptops, and other mobile endpoints. The RMM issues tickets or alerts to the MSP when it detects a problem classifying them based on severity, problem type and criticality, which has driven the widespread use by MSPs globally.
However, when MSPs are utilizing their RMM platform with tightly integrated backup solutions, there is a single access point to dozens, hundreds, or even thousands of organizations. Since the RMM platform is based on agents that are pushed out, the ransomware can potentially push out its malicious code to each of the MSP clients while neutering the backups. This makes MSPs a very lucrative target.
"Once RMM administrative privileges are compromised by a criminal hacker using tried, true, and very effective methodologies such as phishing, website hijacking or malicious advertising," says Marc Staimer, Principal Analyst for DragonSlayer Consulting. "The criminal party identifies the MSP employee targets and begins to attack."
As an example, the hacker may send an urgent email or text that appears to come from their direct manager or company executive. The email or text likely contains a link that downloads the ransomware or malware, or an attachment that’s infected with it. The email may emulate an alert email from the same RMM program or another that occurs all the time. Once the RMM platform is compromised, so is the integrated backup. Now the entire MSP client base is under threat.
Mitigating ransomware's threat to RMM
Protecting the MSP's RMM platform against data is a simple three step process. First, train all employees to be aware of targeted phishing attacks as this is the number one channel by which ransomware enters the network. Next, separate the data protection infrastructure/solutions from the RMM platform and avoid integrated solutions. This will make it more difficult to compromise. Finally, utilize a backup solution that prevents ransomware or any malware from ever deleting the backup. Also make sure the backup software prevents a ransomware or malware infection by scanning both the backup and recovery streams.