The Ritz Herald
© Getty Images

Backups Disabled: Ransomware Targets IT Service Companies

Published on September 03, 2019

A new ransomware attack called Globelmposter is spreading across servers and networks and disabling backup and recovery devices (BCDR). It encrypts everything so you can’t access your files. A number of IT Managed Service Providers (MSPs) have been hit.

  • GlobeImposter Ransomware Disables Backup & Disaster Recovery Services

Almost every IT service company offers some level of data backup, disaster recovery and business continuity solution for their clients.  Many of the top names in Datto, Barracuda, Cloudberry and a host of others.

GlobeImposter allows hackers to access and disable backup and recovery devices. The GlobeImposter ransomware can spread from your MSP’s systems to your network. 

Unfortunately, when the IT service company tries to restore your data, they may find that the business continuity solution was disabled for days, weeks or months before the ransomware was discovered. This puts you at risk of outdated or deleted backups. 

  • Datto, A Leading IT Services Firm Backup Vendor

Datto, a manufacturer that makes BCDR devices is investigating these incidents. This is what their Chief Information Security Officer, Ryan Weeks tells us: 

“We are still gathering facts on this incident to share with the community. At this time, we know for certain that the attacker accessed the BCDR appliances from the local network successfully on first login attempt. How the local networks were accessed by the attacker is an active line of investigation that is ongoing.”

  • Hackers Are Increasingly Disabling Backup Services Offered By IT Companies

These attacks are hitting MSPs in North America, Europe and Australia; and it seems that this is a growing trend.  When this happens, the ransomware spreads across their customers’ systems. Recoveries (if possible) can take many weeks.  

  • What MSPs Must Do

Datto tells MSPs to activate two-factor authentication (2FA) to help block GlobeImposter attacks. Many backup and disaster recovery vendors, including Datto, are beginning to mandate 2FA to strengthen their security defenses. 

Datto provides further guidance and best practices for securing BCDR devices here:

CHANNELe2e offers this guidance for MSPs as well.

  • Leaders In The IT Community Share Insights

Dan King, K2 Technologies:

“This is the very reason that Data Backups are our #1 priority.  Without a proper, thought out backup strategy, we cannot ensure our clients’ data is safe.  Part of that strategy is separating the backup system from the main network; then ransomware is unable to make the jump from one network to the other as it doesn’t have any access to the shares on the data storage device.  

Our backups are reviewed manually every week; we have been bitten by not having a set of eyes manually verifying the backup is actually working. RMM (Remote Monitoring & Management) systems will tell you when there’s an issue with a backup job, but not necessarily that the backup is actually running a job.  

We manually verify that the backup job is doing everything it’s supposed to be doing. We also manually spin our server images every quarter.  Backups are an integral part of protecting our clients’ data that they trust us to protect.”

Michael Goldstein, LAN Infotech:

“This report comes at such a terrible time with all of the ransomware attacks going on; also at a time where backups are critical. Last October, we started reviewing all of our MSP systems to review security and enabled 2FA.”

Duleep Pillai, Veltec Networks:

“This is our practice: 2FA on RMM, PAS (Partial Attribute Set), Email and all services. The local drive for backup is not mapped to be accessible from any local devices other than the backup user. No guest access to the drive, and no default password for admin. We use a totally different user for backup.”

Stuart Pretty, Steadfast Solutions:

“What we are doing:

  • MFA protection on critical platforms with access to client systems
  • Password rollover policies in place
  • Offsite backups protected with separate credentials from onsite (Datto only requires a single set of credentials to access local and remote storage)

What we will be doing:

  • Lock down internal admin access
  • No more documenting of any type of password in Autotask
  • MFA on all Autotask logons (for the reason above)”

Jorge Rojas, Tektonic Inc.:

With the increase of ransomware attacks on MSPs and vendors, it looks like Multifactor Authentication (MFA) is a must; especially for MSP since they guard the keys of their customers’ kingdoms.  A lot of the vendors are starting to implement MFA with Webroot, Datto, D&H, Microsoft. We are currently looking into DUO to see if we can standardize the MFA process.

  • What You Should Do

Ask your IT Managed Service Provider what they are doing about GlobeImposter, and how they plan to secure your backup and disaster recovery system.

Staff Writer