Content, MSP, Networking

Another MSP, Another Ransomware Attack: Hackers Disable Backup Systems


Yet another hacker attack has it an MSP -- this time spreading GlobeImposter ransomware across customer servers and networks -- "encrypting everything" along the way, according to chatter on Reddit.

It sounds like one MSP and roughly five different customers were impacted, though ChannelE2E has not directly confirmed details of the alleged attacks. Still, Datto Chief Information Security Officer Ryan Weeks has shed some light on the situation. The attacks allegedly involved hackers accessing and disabling backup and disaster recovery appliances. Datto's InfoSec and Code Red Tech Support teams have been supporting the MSP partner as the attack investigation continues, Weeks said in a statement.

Moreover, Weeks once again called on MSPs to activate two-factor authentication (2FA) as a potential step to block such attacks. Datto and other vendors are gradually mandating 2FA as the MSP industry strives to strengthen its overall defense posture.

Statement From Datto CISO Ryan Weeks

Ryan Weeks, CISO, Datto
Datto CISO Ryan Weeks

Referring to this specific incident, Weeks posted a prepared comment on Reddit. ChannelE2E confirmed with Datto that the comment is authentic. Among the key points Weeks shared:

"We are still gathering facts on this incident to share with the community. At this time, we know for certain that the attacker accessed the BCDR appliances from the local network successfully on first login attempt. How the local networks were accessed by the attacker is an active line of investigation that is ongoing. When we learn more and establish the facts, and can share them, we will update you.

To significantly increase your resilience to targeted MSP ransom attacks, please follow this previously issued guidance: Most importantly, please enable 2FA for everyone of your employees on all your channel technology solutions and disable local WebUI access on BCDR appliances (portal access only).

We do not tolerate bad outcomes for our partners. In addition to our commitment to deploy required 2FA for Datto RMM after actioning partner feedback, we’re developing new tools and capabilities across our product stack to further reduce the likelihood and/or impact of a successful MSP attack such as this and others.

More than ever, we’re collaborating with other channel vendors and MSPs to pool intelligence that will enable us to better protect you and increase transparency."

Weeks also noted that Datto and several technology partners are hosting a webcast on September 12 to provide further guidance to MSPs. ChannelE2E noted the growing cross-vendor cooperation on security in this blog.

Hackers Disable MSP Backups: Growing Trend

The attack mentioned above isn't unique. MSPs in North America, Europe and Australia have suffered hacker attacks that disable backup systems and spread ransomware across end-customer systems, ChannelE2E reported in early August 2019.

In a typical scenario, the ransomware attacks spread from MSP systems to end-customer networks. When the MSP attempts a data restore, the service provider discovers BDR systems were disabled days, weeks or even months before the ransomware attack occurred, sources say. The net result, in some cases: Encrypted MSP and customer systems, and outdated or deleted backups.

In some cases, the backup provider has archived systems (a backup of the backup) to assist the MSP with longer-term recoveries. But even in that scenario, the archived backup may be a bit dated.

Ransomware Attacks Hit Multiple CSPs, MSPs

Ransomware attacks have hit multiple service providers in recent months. Victims include:

The FBI and U.S. Department of Homeland Security have repeatedly warned MSPs and their technology platform providers about such attacks.

Amid those challenges, the MSP industry could soon face a “crisis of credibility” if the market doesn’t take major steps to more effectively mitigate ransomware threats, cyberattacks and associated fallout, ChannelE2E and MSSP Alert believe.

In response, MSP software providers and their channel partners are increasingly activating two-factor authentication as a means to stop hackers from entering systems.

Moreover, ConnectWise is launching a Technology Solution Provider Information Sharing and Analysis Organization (TSP-ISAO). The goal: Recruit and welcome all companies — including rivals — into an information sharing organization that will raise industry defenses, and thereby benefit all MSPs.

Joe Panettieri

Joe Panettieri is co-founder & editorial director of MSSP Alert and ChannelE2E, the two leading news & analysis sites for managed service providers in the cybersecurity market.