Managed Server Providers (MSPs) provide IT and security services on a subscription model. Their great benefit is that they allow their clients to enjoy proactive management and protection while still having the ability to control IT costs. An ounce of prevention, the old saying goes, is worth a pound of cure. But according to reports on Reddit and a related story on ChannelE2E, one MSP recently had a ransomware horror story strike 5 of their clients that left them all with ransomware encrypting their entire network, as well as having their backup devices erased, cancelled, and their cloud-storage backups deleted. And one small tip from Microsoft could have prevented it all.
What is Datto?
Datto is a well-recognized and highly respected backup system. Not only does the system create a local real-time backup of server and workstation data to its local appliance. This same data is then transferred to the cloud. The result is that if there is a local server failure, the Datto appliance can be booted live within minutes to begin serving users, minimizing downtime. Similarly, if data is lost or destroyed on the backed up devices, it can be restored from the local or cloud copy.
Further, if the Datto appliance is somehow damaged -- as with a fire, earthquake or theft -- an image of the server resides on the cloud. The network can actually operate with this cloud image of the server as though it were local. Datto clients can increase security further with a second copy of the cloud data.
The Datto system, like some other Backup and Disaster Recovery solutions (BDRs), is an excellent way to protect your network from physical disasters, operator error, or cyber crime such as a Ransomware attack. But like any valuable tool, it must be used correctly.
Ransomware Horror Backstory
In this case, the MSP’s clients assumed that their computing environment was safe and secure. But according to a report by the Datto Chief Security Officer, there were some flaws with the MSP’s security configuration.
- A technician at the MSP was not using two-factor authentication (2FA) on at least two of his accounts.
- Several of the MSP’s BCDR appliances used identical admin credentials
Hackers originally gained access to the MSP’s resources via one of the technician’s accounts. They also have reason to believe that the hacker gained access to the technician’s password management system.
Armed with access to the network, the hackers logged into the Datto backup appliance, disabled the local backups, disabled the cloud backups, and then deleted all versions of the cloud backups.
They waited for some time, then installed the Ransomware and demanded payment.
When the MSP attempted to recover their encrypted data from their Datto device or cloud server, they discovered it was gone. The lack of a usable backup substantially increases the incentive for the company to pay the ransom to recover its own data.
The Datto CSO also wrote that “there were malicious login attempts, seen across channel technology providers, using the MSP technician’s account.” In other words, the technician’s logins were used on several other sites by bad actors without the technician’s knowledge.
How To Prevent This Kind of Disaster
In an unrelated story, according to ZDnet, Microsoft reports that there are over 300 million fraudulent sign-in attempts every day to its cloud services and that 99.9% of them can be blocked with multi-factor authentication.
As you can tell from the ransomware horror story above, one technician failing to use 2FA was at the heart of this scenario. Had the technician used 2FA for his password manager, for the Datto BDR accounts, and his other accounts, he would have been notified of every malicious login attempts, and might have been able to prevent this attack.
Another failing of this story is that the hackers were actively on the MSP’s and client networks for an extended period of time, and were never detected. The MSP should have had systems in place to notice the initial breach, detect the actions of the hackers on the network, and the disabling of the Datto devices and cloud accounts.
How Digital Uppercut Protects You
While hindsight is 20/20, Digital Uppercut already has practices in place to protect our clients from similar ransomware horror stories. Our Business Protection Toolkit has features to detect attempted intrusions as well as unexpected or malicious activity on your networks.
- Our Web Filtering, Email Filtering, and Advanced Endpoint Protection block damage from bad websites, attachments and actions (including the disabling of BDR systems)
- Our SIEM system continuously monitors your security logs in real-time, looking for attempted and successful breaches.
- Our Security Operations Center is filled with a team of experts who are continually watching over your network security.
There’s more to our Business Protection Toolkit, and it’s all backed by our Million Dollar Ransomware Guarantee.
What to do Next
If you’re not certain that you are already enjoying protection on this level, talk to us. We can specially configure our Business Protection Toolkit for your unique business and network configuration. Contact us online or call us at 818-913-1335. Don’t let what happened to these unfortunate companies happen to you. Talk to us today.