OUCH! Ransomware Attack Via MSP Locks Customers Out of Systems


Earlier this week, an unidentified threat actor managed to launch a ransomware attack resulting in the encryption of between 1,500 to 2,000 endpoint devices belonging to users of a single US managed service provider (MSP).

The MSP was subsequently urged to pay a ransom of $2.6 million to have the systems unlocked.

The attacker managed the feat by exploiting a security flaw in a plug-in for VSA RMM, a software tool from Kaseya that is designed for the remote monitoring and management of servers and other computer devices. Like many MSPs, the targeted firm uses the software for client systems.

The attack has amplified existing fears over the possibility of large-scale cyberattacks on MSPs. Chris Bisnett of Huntress Labs, the cybersecurity company working with the MSP, stated that “everyone is looking at the attack and saying, ‘This could have been me.'”

[UPDATE 2/12/2019] More data: This is a Connectwise vulnerability which was announced by Connectwise in 2017 and patched by Connectwise shortly thereafter. A small number of customers either may not have installed the update from Connectwise or may have installed this update incorrectly. It gets installed onto the Kaseya system as a way to connect the 2 together. Turns out this is a patching issue, which is one of the—only two— main root causes of compromise: social engineering and patching discipline.

Read more at DarkReading

Topics: Ransomware

Subscribe To Our Blog

BP future Direction of Security Awareness Training On-Demand Webinar

Recent Posts

Get the latest about social engineering

Subscribe to CyberheistNews