Ransomware has made the headlines once again this time setting its sights on managed service providers (MSP) accessing and disabling backup and disaster recovery (BDR) appliances. Typically, the ransomware spreads from the MSP’s systems to the end-customer networks and once an attempt is made to restore the data, the service provider usually discovers that the BDR systems were disabled anything from days to weeks before the actual execution of the ransomware attack. Because this form of ransomware runs silently in the background during the encryption phase and can even disable antivirus programs, there are no telltale indicators of an infection. And, even with successful mirroring (essentially a backup of the backup) assisting with longer-term backups, the recovered data could still be somewhat dated.
A leading IT solutions MSP was recently a victim of MSP targeted ransomware, GlobeImposter, seeing all their backup systems being disabled and spreading the GlobeImposter ransomware across customer servers and networks encrypting everything in its path. Other MSP targeted ransomware attacks in recent months include multiple organizations paying a combined $640 000 bitcoin to hackers over a period of two weeks and an MSP paying more than $150 000 to recover data yet only being able to recover 30% of the end-user systems impacted by the attack. To underscore the severity of this threat, both the FBI and Department of Homeland Security warned MSPs and their tech platform providers to increase awareness of these threats.
Ransomware attacks, such as GlobeImposter, can be distributed in various ways: it could be camouflaged in software packaged with free online software or be disguised in an email or installed by websites using software vulnerabilities. The harsh reality is that users who choose to pay the ransom may often find that their data is either not returned, returned but still sold on the black market, or find themselves targets of future ransomware attacks.
To avoid a crisis of credibility, MSPs globally must be vigilant and increase their resilience to targeted MSP ransomware attacks to allay the effects more effectively or avoid it altogether. Below we have detailed four approaches to avoid/mitigate the risk of MSP targeted ransomware.
- Recovery Point Objective (RPO) and retention – RPO is the frequency at which backups are created, e.g., daily, weekly monthly whereas retention refers to the length of time an organization requires copies of its data to be stored. To provide optimum protection against the consequences of a ransomware attack, ideally, you should opt for a shorter RPO and an extended retention period.
- Employee awareness – some of the breaches indeed involved software vulnerabilities but just as often it involved compromised login credentials. MSPs should, therefore (1) invest in creating employee awareness of the results of compromised credentials and (2) make two-factor authentication mandatory across internal as well as customer systems.
- Backup of the backup – for the super-cautious who immediately thought SIM card jacking can compromise the effectiveness of 2FA, continuous replication can provide higher RPO guarantees as the target system comprises the mirrored image of the source.
- Choose a reputable MSP – a reputable MSP should have the relevant industry knowledge, experience, IT expertise and technical certification to best protect your data assets.
It has been proven by thousands of North American companies that we manage data securely and IT cost-effectively. CloudOak’s business continuity and disaster recovery solutions are ransomware immune offering simplified backup and recovery combined with world-class technical support.