MSP Cyber Insights: Backup-Disabling Ransomware
By: Mike Talon for SKOUT CYBERSECURITY
SKOUT has been tracking a new twist to ransomware that’s specifically targeting MSP’s and their customers. While all ransomware is damaging, this one adds a component of pure nastiness that can and will have devastating impact.
Standard variants of ransomware will encrypt some or all information on a desktop, laptop, or server’s disk systems – including those attached to a server externally like USB disks, SAN, or NAS platforms. Most also purposely or accidentally break native technologies like Windows ShadowCopy, removing the ability to revert to previous versions of the files that reside on the attacked device itself. To date, the only three ways to retrieve encrypted files are to either pay the ransom; to restore from an off-system backup copy (a backup that goes to some other machine, to the Cloud, to tape, etc.); or to use a decryption tool available from the cybersecurity community if one has been found for the variant of ransomware that the device was infected with.
Paying the ransom is never recommended as it encourages more ransomware overall; and also because several threat actors have shown that they never intended to undo the damage of the attack or provide the decryption keys even after they have been paid. Restoration using community decryption tools (if they are available) or from backup are the best options.
Now there’s a new twist to the story. Recent variants of ransomware that appear targeted primarily at MSP’s will purposely disable backup solutions prior to initiating the encryption phase of the attack. Since at least some versions of this attack disable the backup agents/systems days or even weeks before the damage is noticed, data is not restorable from backups; as the backup jobs haven’t been running for the intervening period. Luckily, the attack doesn’t destroy existing backup data that resides off-machine – it just stops any new backups from happening for a period of time prior to and/or during the encryption phase of the attack. Note that this type of attack will mutate, and may morph into a version that actively encrypts any backup copies it can find in addition to stopping new backups from taking place.
An example of this behavior is the so-called “Rapid Ransomware” (named due to it appending .rapid to the end of all encrypted files as an extension) which disables Volume Shadowcopy Services, databases routinely used by backup tools (mySQL, SQLite, etc.), and running backup processes. It also continues encrypting files as they are created, meaning that it could be some time before a user realizes their files have been locked, and all new files that were created or downloaded since the beginning of the attack are also locked. It does not place a notification up for the user to view, but rather places a text file on the desktop notifying the user they are victims of the attack. This file can be easily missed, leading to users not realizing that the damage is done for some time. Rapid is not new, it was first reported in January of 2019, but variant forms of this attack have been targeting MSP’s more recently.
There is one silver lining: Many off-machine backup tools do not perform differencing or incremental backups; instead only backing up the latest version of any given file. With traditional ransomware this renders the backup unusable since the backup data is overwritten by the encrypted versions of those files if the infection is not caught before the next scheduled backup job runs. In this case, no backups are taken after the initialization, so while the data will be outdated it will still be restorable.
Defense advice against this form of ransomware is to utilize a combination of well-established systems of protection and monitoring:
– Ensure that all devices are running appropriate anti-malware solutions (like SKOUT Endpoint Protection), including server systems. Keep this protection updated.
– Ensure that all desktops, laptops, and servers are kept up to date with Operating System and application patches, fixes, and updates.
– Monitor backup tools for anomalies. Ensure that backups are completing on schedule, and that there are no errors or failed backup jobs.
– Use backup tools that save multiple versions of files, as opposed to only the most recent version, and that this versioning is performed on the backup appliance/service, not the backed-up device itself.
Additional information can be found at [Hackers Disable MSP Backups, Launch Ransomware Attacks – ChannelE2E](https://www.channele2e.com/technology/security/hackers-disable-msp-backups/), and your SKOUT Team can assist in helping your MSP and your customers avoid this form of attack and continuously monitor for threat activity across your environments.