Cybersecurity Roundup: MSP Survives Ransomware Attack via ConnectWise, Kaseya Tools

The number of ransomware attacks on MSPs mounted last year and more are likely to be targeted in 2020.

Dark Cubed, which provides cybersecurity solutions, procured a research study with data revealing that MSPs are fighting a losing battle when it comes to cyberattacks. MSP networks are under a barrage of attacks from malicious threat actors, and 100% of MSPs reviewed suffered either automated attacks, directed attacks or both.

To get a firsthand account of an MSP ransomware attack, we spoke with Darin Harris, COO of Remote Techs, which incurred a ransomware attack last year that nearly drove it out of business. The MSP works with clients across the western United States, and construction and transportation are its two biggest verticals.

Channel Futures: How did the ransomware attack unfold?

Darin Harris: We used two pieces of software that are very common in the industry. We used a remote management and remediation tool [from] Kaseya and then we used a ticketing and billing system [from] ConnectWise. ConnectWise had a plug-in essentially that connected the workstation data, the audit data back into ConnectWise so that you could connect tickets to workstations and things of that nature. They released a patch [at] the end of 2017 or the early part of 2018 that was to fix a vulnerability. We applied the patch, thinking we were safe, and then in … the early part of February of 2019, the exploit that existed and that was supposedly patched started to be used in the wild, and ConnectWise and Kaseya started to see MSPs becoming attacked. What it would do is essentially bypass your two-factor security, bypass your user passwords … to a direct sequel injection into the database to change a password, they would log in and then they would use Kaseya to start installing their ransomware using your servers to push the ransomware to all of the clients that were connected. Yeah, real friendly stuff.

So for us, it started at about 2:45 p.m. on a Sunday, and we have some customers that run pretty close to 24 hours a day, and so we started to get a few phone calls about 3:15 p.m. of servers being unavailable for one of our clients. We started to investigate and found clients that were ransomed. And we started to see that affect a couple of clients at the same time, at which point we quickly deduced that the issue was the Kaseya server itself. We looked into that and found that we couldn’t gain access to it like we used to be able to. And so we quickly took it offline, shut it down and then started the remediation process to fix everything. That was probably a good, solid, six-to-eight weeks, and we had – compared to other owners like myself that I’ve spoken to – manageable damage. We had about 14-16% of our connected devices become encrypted and more than half of those were servers. I know some owners and some other MSPs that had 100% encryption rate. Every single device was encrypted before they found out what was going on. So yeah, that was January. It took us two months to get everything kind of back to normal. We had our customers back up within just a few days, but … even if you can recover workstations and desktops, and servers you still have to go back and back up all the data, rebuild it from scratch and …