Protek Support MSP Ransomware Hits Customers in Salt Lake City, Utah
-
@coliver said in Protek Support MSP Ransomware Hits Customers in Salt Lake City, Utah:
@DustinB3403 said in Protek Support MSP Ransomware Hits Customers in Salt Lake City, Utah:
Oh right on their website
Hosted Screenconnect. That should have been patched by Connectwise.
Yeah, but still wouldn't do anything to prevent bad password policy.
-
@Reid-Cooper I would NEVER hire or even consider an MSP that paid a ransom. That means they are incapable or unwilling to make and test backups, so that's a hard no.
-
@RojoLoco said in Protek Support MSP Ransomware Hits Customers in Salt Lake City, Utah:
@Reid-Cooper I would NEVER hire or even consider an MSP that paid a ransom. That means they are incapable or unwilling to make and test backups, so that's a hard no.
And taking and testing backups is literally one of the things that they say they do!
So to have taken this long to get up and running means either they are lying about their capabilities, their backups were hit as well or that they've never taken any backups!
-
@DustinB3403 ransomware can't hit those air-gapped, offsite backups... oh, wait.
-
@DustinB3403 said in Protek Support MSP Ransomware Hits Customers in Salt Lake City, Utah:
TeamViewer maybe?
I'm honestly just not sure how and where a risk like this could be spread so quickly. Unless there was something so blatantly obvious that it's borderline intentional to have caused this.
@scottalanmiller said in Protek Support MSP Ransomware Hits Customers in Salt Lake City, Utah:
No idea. Maybe VPNs for remote management. That's the most common vector for this. Or we've heard that unpatched ConnectWise is a popular target for it too.
Yeah those are possibilities.
Their website says "Protek provides unlimited onsite and remote support from local certified technicians." meaning some type of remote access.
I'm curious if they kept all of their client passwords in an unprotected excel spreadsheet too. . .
Anything using a username and password is an easy target. It's just a matter of social engineering via email or phone, or many other possibilities such as a fake URL to somewhere that looks legit, a trojan, etc...
-
@DustinB3403 said in Protek Support MSP Ransomware Hits Customers in Salt Lake City, Utah:
It's funny how their website is setup. Each portal is different from the last, none that are remotely similar.
Just as a customer that would raise a red flag for me when having been through the selection process. Something else is that all of their support pages make the boast that "local certified support".
Which, no problem, everyone needs to eat. But what if a bus just happens to come crashing through your office. All support is gone.
Throw some global support options in there. Especially since they have ScreenConnect. Literally 0 reason to require local on-site only staff.
I think it makes more sense if you dig into their profiles and realize that they are a desktop break/fix firm primarily. So I suspect most of their work is done physically.
-
@RojoLoco said in Protek Support MSP Ransomware Hits Customers in Salt Lake City, Utah:
@Reid-Cooper I would NEVER hire or even consider an MSP that paid a ransom. That means they are incapable or unwilling to make and test backups, so that's a hard no.
I wouldn't go that far. MSPs don't get to make those decisions. It is their customers who choose if they get to have and/or test backups. MSPs can (and should) suggest it, but they don't get to make the final call.
Now, that said, if the MSP recommended it and it wasn't done, why would the MSP pay the ransom anyway? That suggests that the MSP is at fault, for sure.
-
@scottalanmiller I've seen entire LANs hit by ransomware and it's tough getting it back up because everything is either down by the ransomware or by choice (to avoid it getting worse).
So your machine will not get an IP address because DHCP is down, you can't log in because AD is down, you can't access backups even if you have them because of the above and DNS is down. And often firewalls and WAN links have been shut down as well. PBX will be down, O365 can't be accessed. Where did we put the emergency plan?
There are a lot of interdependencies among services that you don't always realize until you have to. So you have to start slowly and unravel everything from one end to the other. It takes A LOT of time.
For one enterprise I know of it took months and the cost was billions. -
@scottalanmiller said in Protek Support MSP Ransomware Hits Customers in Salt Lake City, Utah:
So we heard from customers of Protek Support in Salt Lake City that the MSP has been hit with ransomware that has gone on to hit all of their clients as well. From what we understand, they are currently on four days of customers being without their files and they aren't cleaning them up yet. We would suspect that their internal systems have been hit and they are tied up dealing with that.
I don't know where you got such information from, but this is simply not true.
-
@proteksupport said in Protek Support MSP Ransomware Hits Customers in Salt Lake City, Utah:
I don't know where you got such information from, but this is simply not true.
That's easy to say without having any proof to back it up. Are you secretly Donald Trump?
Also welcome to the community
-
This post is deleted! -
@proteksupport said in Protek Support MSP Ransomware Hits Customers in Salt Lake City, Utah:
@scottalanmiller said in Protek Support MSP Ransomware Hits Customers in Salt Lake City, Utah:
So we heard from customers of Protek Support in Salt Lake City that the MSP has been hit with ransomware that has gone on to hit all of their clients as well. From what we understand, they are currently on four days of customers being without their files and they aren't cleaning them up yet. We would suspect that their internal systems have been hit and they are tied up dealing with that.
I don't know where you got such information from, but this is simply not true.
Threads need to be deleted asap. Or company info scrubbed. No need to have the name of the company in the thread actually in either case.
-
@proteksupport said in Protek Support MSP Ransomware Hits Customers in Salt Lake City, Utah:
@scottalanmiller said in Protek Support MSP Ransomware Hits Customers in Salt Lake City, Utah:
So we heard from customers of Protek Support in Salt Lake City that the MSP has been hit with ransomware that has gone on to hit all of their clients as well. From what we understand, they are currently on four days of customers being without their files and they aren't cleaning them up yet. We would suspect that their internal systems have been hit and they are tied up dealing with that.
I don't know where you got such information from, but this is simply not true.
Are you actively cleaning up some customers but not all? Whats the status?
-
@Pete-S said in Protek Support MSP Ransomware Hits Customers in Salt Lake City, Utah:
@proteksupport said in Protek Support MSP Ransomware Hits Customers in Salt Lake City, Utah:
@scottalanmiller said in Protek Support MSP Ransomware Hits Customers in Salt Lake City, Utah:
So we heard from customers of Protek Support in Salt Lake City that the MSP has been hit with ransomware that has gone on to hit all of their clients as well. From what we understand, they are currently on four days of customers being without their files and they aren't cleaning them up yet. We would suspect that their internal systems have been hit and they are tied up dealing with that.
I don't know where you got such information from, but this is simply not true.
Threads need to be deleted asap. Or company info scrubbed. No need to have the name of the company in the thread actually in either case.
Actually its very important so that customers can discuss the issue together so that they are aware that they are not alone.
-
@proteksupport now is your chance to clear things up. Otherwise we have to assume the information posted in the OP at least as some basis in truth.
If a customer refused to have DR and backup services, literally nothing else needs to be said than "this was due to a customer decision".
If it's all false that's just as fine as well, but then we'd have to wonder why @scottalanmiller is supposedly being contacted with this claim.
@scottalanmiller are you able to shed any light on who the customer may be or otherwise help unfold this story?
-
@RojoLoco said in Protek Support MSP Ransomware Hits Customers in Salt Lake City, Utah:
@Reid-Cooper I would NEVER hire or even consider an MSP that paid a ransom. That means they are incapable or unwilling to make and test backups, so that's a hard no.
I've seen a situation where the ransomware ate most of the backups.
-
@EddieJennings said in Protek Support MSP Ransomware Hits Customers in Salt Lake City, Utah:
@RojoLoco said in Protek Support MSP Ransomware Hits Customers in Salt Lake City, Utah:
@Reid-Cooper I would NEVER hire or even consider an MSP that paid a ransom. That means they are incapable or unwilling to make and test backups, so that's a hard no.
I've seen a situation where the ransomware ate most of the backups.
Well that would be because their backups weren't actually protected.
-
@EddieJennings said in Protek Support MSP Ransomware Hits Customers in Salt Lake City, Utah:
@RojoLoco said in Protek Support MSP Ransomware Hits Customers in Salt Lake City, Utah:
@Reid-Cooper I would NEVER hire or even consider an MSP that paid a ransom. That means they are incapable or unwilling to make and test backups, so that's a hard no.
I've seen a situation where the ransomware ate most of the backups.
Can happen when not air gapped.
-
As with any company, be it Microsoft, IBM, Facebook, Verisign, Whoever.... We do not protect companies when we have credible knowledge of a company's failure, or on the other hand, accomplishments are reported.
In this case, we have first hand knowledge as reported by the OP.
Just as I reported, along with many major news outlets, Wells Fargo had an outage affecting a large number of their customers and all of their investors. I would not remove their name, nor the post just because they complain.
-
@pchiodo said in Protek Support MSP Ransomware Hits Customers in Salt Lake City, Utah:
As with any company, be it Microsoft, IBM, Facebook, Verisign, Whoever.... We do not protect companies when we have credible knowledge of a companies failure, or on the other hand, accomplishments are reported.
In this case, we have first hand knowledge as reported by the OP.
Just as I reported, along with many major news outlets, Wells Fargo had an outage affecting a large number of their customers and all of their investors. I would not remove their name, nor the post just because they complain.
TL:DR Shit happens, and when it should be public knowledge it will be public knowledge.