Protek Support MSP Ransomware Hits Customers in Salt Lake City, Utah
-
So we heard from customers of Protek Support in Salt Lake City that the MSP has been hit with ransomware that has gone on to hit all of their clients as well. From what we understand, they are currently on four days of customers being without their files and they aren't cleaning them up yet. We would suspect that their internal systems have been hit and they are tied up dealing with that.
Pretty good timing considering we just posted about this MSP Risk a few days ago.
How do MSPs survive this kind of level of destruction? Are clients talking to each other? Are clients going on to talk to other MSPs and look for assistance when their main support is gone?
We rarely think about how the MSP itself would be offline indefinitely and potentially unable to function in the case of a breach like this. But in this case, it looks like the MPS has been impacted to such a degree that they aren't even able to start helping customers yet. Four days with no action is a lifetime to an impacted business. Something like a hundred customers down for a whole week with no end in sight, it sounds like.
Each customer is going to need every machine - desktops, servers, storage, etc. to be totally wiped, reloaded, and restored. Imagine the manpower necessary to do that.
-
Imagine the manpower necessary to do that.
This was the saddest part of that.
-
Looking at the team at Protek's Meet Our Team page, it appears that they are a break/fix focused company. Which is shocking considering the size of clients that they have. But out of a total technical team of eight people, five of them are listed as "reactive" (aka break/fix) staff, rather than normal support. And only one of eight is their proactive person. The other three appear to manage things like online accounts or something.
So it is less surprising for a break/fix focused company to be at risk for ransomware as they likely don't have anyone in a security, CIO, guidance, or other planning and decision making role to address customer needs. Going by a "who we are" page is difficult, but it looks like most of their staff's expertise is in desktop hardware support (bench), rather than IT. So more surprising that they've not been out to service customers yet now that there are in a "reactive" position, but not so surprising that it happened as it doesn't appear that this is a full service vendor prepared to be in this kind of position.
-
@LilAng said in Protek Support MSP Ransomware Hits Customers in Salt Lake City, Utah:
Imagine the manpower necessary to do that.
This was the saddest part of that.
Yeah, internal technical staff of only eight people, most of whom appear to be bench techs (which will be useful for imaging thousands of desktops, but still) leaves very few hands to handle remediation tasks.
-
I noticed that the only management that they have is someone with sales, but no IT experience. Nothing wrong with that, most successful MSPs are run by non-IT people, but it appears after digging into their people list, that they lack any IT leadership people and it is just a loose collection of relatively green bench techs working for a sales guy. So lots of customers, and very little protection, is kind of an obvious result.
-
Is there a possibility that some of the clients have an on-site IT too? I saw that list of employees, maybe of some them use to work in IT but decided to move on to the business side instead can help with re-imaging computers.
-
I wonder if this company even has any DR plans for their customers and services. Pretty much DRaaS. Even a free tool like UrBackup would speed up the process of recovery for every client if it was in place prior to this occurring.
-
@black3dynamite said in Protek Support MSP Ransomware Hits Customers in Salt Lake City, Utah:
Is there a possibility that some of the clients have an on-site IT too? I saw that list of employees, maybe of some them use to work in IT but decided to move on to the business side instead can help with re-imaging computers.
Possible, but chances are the other people are tied up trying to put out the account fires.
-
@scottalanmiller said in Protek Support MSP Ransomware Hits Customers in Salt Lake City, Utah:
account fires
Those aren't able to be "put out" as the account has absolutely nothing to do with poor MSP support and planning. Or a lack of business DR planning.
They have a right to be ticked off and shouting.
-
I'm curious what systems Protek has in place that, their vulnerability was spread to their clients data.
Simple passwords? Hosted Services? Shared Services?
-
@DustinB3403 said in Protek Support MSP Ransomware Hits Customers in Salt Lake City, Utah:
I'm curious what systems Protek has in place that, their vulnerability was spread to their clients data.
Simple passwords? Hosted Services? Shared Services?
No idea. Maybe VPNs for remote management. That's the most common vector for this. Or we've heard that unpatched ConnectWise is a popular target for it too.
-
TeamViewer maybe?
I'm honestly just not sure how and where a risk like this could be spread so quickly. Unless there was something so blatantly obvious that it's borderline intentional to have caused this.
@scottalanmiller said in Protek Support MSP Ransomware Hits Customers in Salt Lake City, Utah:
No idea. Maybe VPNs for remote management. That's the most common vector for this. Or we've heard that unpatched ConnectWise is a popular target for it too.
Yeah those are possibilities.
Their website says "Protek provides unlimited onsite and remote support from local certified technicians." meaning some type of remote access.
I'm curious if they kept all of their client passwords in an unprotected excel spreadsheet too. . .
-
@DustinB3403 said in Protek Support MSP Ransomware Hits Customers in Salt Lake City, Utah:
TeamViewer maybe?
I'm honestly just not sure how and where a risk like this could be spread so quickly. Unless there was something so blatantly obvious that it's borderline intentional to have caused this.
Doesn't necessarily have to spread quickly. Might have taken its time and triggered all at once.
-
Oh right on their website
-
@DustinB3403 said in Protek Support MSP Ransomware Hits Customers in Salt Lake City, Utah:
Their website says "Protek provides unlimited onsite and remote support from local certified technicians." meaning some type of remote access.
We know that they do remote management, but that's all that we know.
-
@DustinB3403 said in Protek Support MSP Ransomware Hits Customers in Salt Lake City, Utah:
Oh right on their website
Hosted Screenconnect. That should have been patched by Connectwise.
-
What would MSPs do in a situation like this? It must be case by case, but do you pay the ransom and hope that the data really gets unlocked? That's a huge risk.
If they have good backups and processes, hopefully they don't need to pay the ransom. But it doesn't sound like they do if they have been down for so long and are not progressing yet.
-
@coliver said in Protek Support MSP Ransomware Hits Customers in Salt Lake City, Utah:
@DustinB3403 said in Protek Support MSP Ransomware Hits Customers in Salt Lake City, Utah:
Oh right on their website
Hosted Screenconnect. That should have been patched by Connectwise.
Good catch. Might just be one of many tools that they use, though.
-
It's funny how their website is setup. Each portal is different from the last, none that are remotely similar.
Just as a customer that would raise a red flag for me when having been through the selection process. Something else is that all of their support pages make the boast that "local certified support".
Which, no problem, everyone needs to eat. But what if a bus just happens to come crashing through your office. All support is gone.
Throw some global support options in there. Especially since they have ScreenConnect. Literally 0 reason to require local on-site only staff.
-
@DustinB3403 said in Protek Support MSP Ransomware Hits Customers in Salt Lake City, Utah:
It's funny how their website is setup
You should see the get to know us page and hover over the pictures.
