RMM platforms with integrated backup will be ongoing attack vector for ransomware in 2020: Asigra

Mission critical MSP and customer data in RMM environments at high risk

TORONTO – February 19, 2020 – Leading cloud backup, recovery and restore software provider Asigra Inc., today released a bulletin to the company’s global network of managed service providers warning of the growing ransomware threat to remote monitoring and management (RMM) platforms as an incessant stream of insidious malware variants put solution provider and end-customer applications and data at significant risk.

RMM software helps managed IT service providers (MSPs) remotely and proactively monitor client endpoints, networks and computers. It was historically called remote IT management. Deploying RMM requires an agent installed on client servers, hypervisors, workstations, networking devices, laptops, and other mobile endpoints. The RMM issues tickets or alerts to the MSP when it detects a problem classifying them based on severity, problem type and criticality, which has driven the widespread use by MSPs globally.

However, when MSPs are utilizing their RMM platform with tightly integrated backup solutions, there is a single access point to dozens, hundreds, or even thousands of organizations. Since the RMM platform is based on agents that are pushed out, the ransomware can potentially push out its malicious code to each of the MSP clients while neutering the backups. This makes MSPs a very lucrative target.

“Once RMM administrative privileges are compromised by a criminal hacker using tried, true, and very effective methodologies such as phishing, website hijacking or malicious advertising,” says Marc Staimer, Principal Analyst for DragonSlayer Consulting. “The criminal party identifies the MSP employee targets and begins to attack.”

As an example, the hacker may send an urgent email or text that appears to come from their direct manager or company executive. The email or text likely contains a link that downloads the ransomware or malware, or an attachment that’s infected with it. The email may emulate an alert email from the same RMM program or another that occurs all the time. Once the RMM platform is compromised, so is the integrated backup. Now the entire MSP client base is under dire threat.

Mitigating Ransomware’s Threat to RMM

Protecting the MSP’s RMM platform against data is a simple three step process. First, train all employees to be aware of targeted phishing attacks as this is the number one channel by which ransomware enters the network. Next, separate the data protection infrastructure/solutions from the RMM platform and avoid integrated solutions. This will make it more difficult to compromise. Finally, utilize a backup solution that prevents ransomware or any malware from ever deleting the backup. Also make sure the backup software prevents a ransomware or malware infection by scanning both the backup and recovery streams.

“In many technology segments the centralization of computing processes provides great value. However, tight integration of RMM and data protection is an area where extreme caution is warranted when it comes to backup/recovery design,” said Eran Farajun, Executive Vice President. “The density of high value data in many RMM environments is too alluring for criminal hackers to avoid, making it incumbent upon the MSP to architect a bulletproof data recovery model. For the strongest protection, services professionals are advised to disentangle RMM and backup to ensure system recoverability.”

For more information about the threat of ransomware attacks to RMM systems and how to defend against these threats, visit: https://www.asigra.com/blog/part-1-how-rmm-has-become-latest-ransomware-attack-vector-compromises-backup-defenses.


Please enter your comment!
Please enter your name here

This site uses Akismet to reduce spam. Learn how your comment data is processed.