Criminals infect MSP customers with ransomware

Once again, customers of a managed service provider (MSP) are infected with ransomware after criminals gain access to the MSP. Managed service providers provide all kinds of services to their customers, such as system management.

An attack was reported yesterday on Reddit that spread via an unnamed MSP ransomware. According to security company Huntress Labs , the attackers managed to gain access via RDP. They then used the Webroot management console to download the ransomware on customer systems and disable existing antivirus software. Also existing backups were removed. System administrators can remotely download and run files through the management console.

Webroot said in a response to Reddit that indeed a number of customers who use the management console have been affected by attackers. These attackers managed to invade authentication through a combination of the remote desktop protocol (RDP) and “poor cyber hygiene”. To ensure that customers follow security best practices, Webroot has logged out all customers from their management consoles and mandated the use of two-factor authentication.

Huntress Labs said in an update about the incident that the attackers also used Kaseya. This is a tool to manage systems remotely. In a similar attack in February, attackers also used Kaseya. At that time, MSP customers were infected with GandCrab ransomware. This time it is the Sodinokibi ransomware .