RMM Becomes Ransomware Attack Vector, Putting MSPs on Alert

Cybercriminals want to eliminate the ability of backups to stop their attack. RMMs with integrated backups have become incredibly attractive targets.

According to the FBI’s Internet Crime Complaint Center, the ransom amounts demanded in ransomware attacks — and paid — is on the rise, with the average ransom in 2019 growing more than six-fold from 2015. Attackers are more selective and going after companies that are likely to pay. The losses measured by the FBI do not include business wages, files, third-party remediation.[1]

Ransomware is insidious. It is constantly evolving with new criminal code appearing literally every 18 seconds. That’s 4,800 new ransomware variants every single day or more than 1.75 million per year. This is a multi-billion dollar U.S. business. It is organized criminally and frequently state-sponsored. The profits for cybercriminals are compelling.

Authorities continue to advise the best response to a ransomware attack is a good backup and not to pay the ransom. It’s good advice that is frequently ignored. The cybercriminals’ price their ransom to make it attractive to pay the nuisance cost versus the time and cost required to recover. Unfortunately, there are consequences for paying the ransom.

  • The cybercriminal may or may not decrypt all of the data. It’s more likely that they will return access to a large percentage of the data, just not all of it. They will then demand an additional ransom for the rest of the data.
  • The cybercriminals now know that the organization is now a known “payer.” They will kidnap the data again or make it known to associates so they can kidnap the data again, many times over.

The cybercriminals also know the best way to force a ransom and ensure their revenue stream is to make the backups disappear or become ineffective. The best way to make them disappear is by deleting the backups via stolen credentials or via the data protection software published API. Should that fail they will use a Trojan Horse strategy of infect and wait to detonate. This enables the data protection software to back up the infections. When the ransomware finally detonates, recovering from the backups re-infects and re-encrypts the primary data. This is known as an “Attack-Loop.”

What does this have to do with remote monitoring and management (RMM)? That requires a brief explanation of what RMM is, what it does, and how ransomware is exploiting it.

RMM software helps managed IT service providers (MSPs) remotely and proactively monitor client endpoints, networks and computers. It was historically called remote IT management. Deploying RMM requires an agent installed on client servers, hypervisors, workstations, networking devices, laptops, and other mobile endpoints. The agents continuously report device health information and status back to the MSP providing client insights. For the MSP, it keeps client on-prem machines up-to-date while proactively dealing with problems and issues, often before the client is aware there is one. The RMM issues tickets or alerts to the MSP when it detects a problem classifying them based on severity, problem type, criticality, etc. This is why RMM has become so popular among MSPs.

The main purpose and tasks of RMM have been in summary:

  • Monitor the ongoing health and performance of the MSP client’s software, server machines (physical/virtual), hypervisors, and networks;
  • Keep track historically;
  • Initiate alerts and tickets when problems are detected;
  • Provide MSPs with actionable information on SLAs, problems, root cause analysis, and paths to correct;
  • Monitor all MSP clients and endpoints simultaneously, and
  • Automate scheduled maintenance tasks.

RMMs appear to be an extremely helpful tool for MSPs. And RMMs have not stopped evolving. Many have tightly integrated backup software so that the MSP can provide backup as a service (BaaS) and DR as a service (DRaaS) as part of their software platform. Several RMM vendors purchased backup software to specifically integrate with their RMMs. Single sign-in and more services in a single UI. All good for the MSP? Maybe not. This is where ransomware has come into the picture. Remember, the cybercriminals want to eliminate or at least mitigate the ability of the backups to stop their attack. RMMs with integrated backups have become incredibly attractive to their potential revenues. Here’s why.

RMM Attack Vector

There is an old story about the bank robber “Slick” Willie Sutton. He was asked why he robbed banks. His straightforward response: “It’s where the money is.”  MSP RMMs have access to all of their customers. Ultimately, it’s where the valuable data is. When those customers are utilizing the RMM with tightly integrated backups, there is a single access point to dozens, hundreds, or even thousands of organizations. Since the RMM is based on agents that are pushed out, the ransomware can potentially push out its malicious code to each of the MSP clients while neutering the backups. This makes MSPs a very lucrative target.

The way RMM administrative privileges are compromised is tried, true, and very effective. They take advantage of the way people are wired and play off of their emotions. It starts with targeted spear phishing. The cybercriminals identify the correct person and to whom they report. Then they start phishing. It could be an urgent email or text that appears to come from their direct manager or company executive. The email or text likely contains a link that downloads the ransomware or malware, or an attachment that’s infected with it. The email may emulate an alert email from the same RMM program or another that occurs all the time. The targeted person in both cases will likely not check to see if the email or text is what it is supposed to be and clicks on the link or attachment. When nothing happens, they go about their daily tasks and don’t think any more about it. Of course, they’ve just been compromised.

Websites are another avenue of stealing administrative privileges. These malicious websites’ sole purpose is to draw the target in to click on a malicious link. The cybercriminals may hijack a legitimate website to accomplish this. Malicious advertising is another pernicious avenue in targeted phishing as is social media and mobile apps.  Mobile apps that are actually a front for malicious software will transfer the malware the next time the mobile device connects to a personal computer.

Make no mistake, once the RMM is compromised, so is the integrated backup. Now the entire MSP client base is under dire threat.  A threat so powerful it can cause the MSP to go out of business.

How to Mitigate the RMM Risk

First and foremost, train all employees to be aware of targeted phishing attacks. Regrettably, there is no patch for human carelessness or stupidity. Next, do not have the data protection or backup software tightly integrated with the RMM. Make the cybercriminals work harder to compromise the MSP organization and its clients. Finally, utilize backup software that prevents ransomware or any malware from ever deleting the backups. More importantly, make sure the software prevents a ransomware or malware infection, especially before detonation, from being backed up or recovered.

Taking these 3 steps will mitigate the RMM risk. Converged data protection/cybersecurity software prevents backups from being deleted via multiple layers of protection that often includes retention immutability, multi-factor authentication, passwordless biometric authentication, ability to rename the backup directories, and the ability to soft-delete without removing the backups as defined by the administrator. These solutions also prevent malware and ransomware from being backed up or recovered, successfully stopping attack-loops. 

[1] Federal Bureau of Investigation, Internet Crime Complaint Center, High-Impact Ransomware Attacks Threaten U.S. Businesses and Organizations, October 2019

Eran Farajun

Eran Farajun is the executive vice president of Asigra and an expert in the area of anti-ransomware data protection with more than 20 years in the industry. He has been instrumental in establishing Asigra as a leader in public, private and hybrid cloud-based data protection, bringing new levels of efficiency to organizations and addressing new challenges in the areas of data security and compliance. Learn more about Asigra at https://www.asigra.com.