ML
    • Recent
    • Categories
    • Tags
    • Popular
    • Users
    • Groups
    • Register
    • Login

    Wide ransomware virus infection sourced from 3rd party IT's remote agents.

    Scheduled Pinned Locked Moved News
    17 Posts 7 Posters 1.2k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • scottalanmillerS
      scottalanmiller
      last edited by

      Just like this one.... https://mangolassi.it/topic/18882/protek-support-msp-ransomware-hits-customers-in-salt-lake-city-utah/

      1 Reply Last reply Reply Quote 2
      • scottalanmillerS
        scottalanmiller @Fredtx
        last edited by

        @Fredtx how did it get determined that it was their agents that did it and not just a coincidence or something?

        FredtxF 1 Reply Last reply Reply Quote 1
        • FredtxF
          Fredtx @scottalanmiller
          last edited by

          @scottalanmiller said in Wide ransomware virus infection sourced from 3rd party IT's remote agents.:

          @Fredtx how did it get determined that it was their agents that did it and not just a coincidence or something?

          We received several support calls from the whole Oregon area and that was one of the common denominators for all the computers that were infected with that variant. I for one hand did not work with the customer, but that's what our techs saw and found. Tbh, I'm trying to understand how that could happen when most of the ransomware cases involves a self executable file.

          WLS-ITGuyW scottalanmillerS 2 Replies Last reply Reply Quote 0
          • WLS-ITGuyW
            WLS-ITGuy @Fredtx
            last edited by

            @Fredtx said in Wide ransomware virus infection sourced from 3rd party IT's remote agents.:

            @scottalanmiller said in Wide ransomware virus infection sourced from 3rd party IT's remote agents.:

            @Fredtx how did it get determined that it was their agents that did it and not just a coincidence or something?

            We received several support calls from the whole Oregon area and that was one of the common denominators for all the computers that were infected with that variant. I for one hand did not work with the customer, but that's what our techs saw and found. Tbh, I'm trying to understand how that could happen when most of the ransomware cases involves a self executable file.

            If it was a vulnerability in the agent wouldn't that fall on the responsibility of the MSP's software vendor?

            FredtxF scottalanmillerS 2 Replies Last reply Reply Quote 0
            • FredtxF
              Fredtx @WLS-ITGuy
              last edited by

              @WLS-ITGuy said in Wide ransomware virus infection sourced from 3rd party IT's remote agents.:

              @Fredtx said in Wide ransomware virus infection sourced from 3rd party IT's remote agents.:

              @scottalanmiller said in Wide ransomware virus infection sourced from 3rd party IT's remote agents.:

              @Fredtx how did it get determined that it was their agents that did it and not just a coincidence or something?

              We received several support calls from the whole Oregon area and that was one of the common denominators for all the computers that were infected with that variant. I for one hand did not work with the customer, but that's what our techs saw and found. Tbh, I'm trying to understand how that could happen when most of the ransomware cases involves a self executable file.

              If it was a vulnerability in the agent wouldn't that fall on the responsibility of the MSP's software vendor?

              Good point. I also wonder if they were using 2 way authentication as it provides another layer of security.

              dafyreD 1 Reply Last reply Reply Quote 0
              • dafyreD
                dafyre @Fredtx
                last edited by

                @Fredtx said in Wide ransomware virus infection sourced from 3rd party IT's remote agents.:

                @WLS-ITGuy said in Wide ransomware virus infection sourced from 3rd party IT's remote agents.:

                @Fredtx said in Wide ransomware virus infection sourced from 3rd party IT's remote agents.:

                @scottalanmiller said in Wide ransomware virus infection sourced from 3rd party IT's remote agents.:

                @Fredtx how did it get determined that it was their agents that did it and not just a coincidence or something?

                We received several support calls from the whole Oregon area and that was one of the common denominators for all the computers that were infected with that variant. I for one hand did not work with the customer, but that's what our techs saw and found. Tbh, I'm trying to understand how that could happen when most of the ransomware cases involves a self executable file.

                If it was a vulnerability in the agent wouldn't that fall on the responsibility of the MSP's software vendor?

                Good point. I also wonder if they were using 2 way authentication as it provides another layer of security.

                That would protect against a breached password, but if the vulnerability lies in the agent, I don't think 2FA would matter.

                DashrenderD scottalanmillerS 2 Replies Last reply Reply Quote 3
                • DashrenderD
                  Dashrender @dafyre
                  last edited by

                  @dafyre said in Wide ransomware virus infection sourced from 3rd party IT's remote agents.:

                  @Fredtx said in Wide ransomware virus infection sourced from 3rd party IT's remote agents.:

                  @WLS-ITGuy said in Wide ransomware virus infection sourced from 3rd party IT's remote agents.:

                  @Fredtx said in Wide ransomware virus infection sourced from 3rd party IT's remote agents.:

                  @scottalanmiller said in Wide ransomware virus infection sourced from 3rd party IT's remote agents.:

                  @Fredtx how did it get determined that it was their agents that did it and not just a coincidence or something?

                  We received several support calls from the whole Oregon area and that was one of the common denominators for all the computers that were infected with that variant. I for one hand did not work with the customer, but that's what our techs saw and found. Tbh, I'm trying to understand how that could happen when most of the ransomware cases involves a self executable file.

                  If it was a vulnerability in the agent wouldn't that fall on the responsibility of the MSP's software vendor?

                  Good point. I also wonder if they were using 2 way authentication as it provides another layer of security.

                  That would protect against a breached password, but if the vulnerability lies in the agent, I don't think 2FA would matter.

                  Yeps, just like the vulnerability in RDP a few weeks ago is in the protocol, has nothing to do with the password - it's simply bypassed.

                  1 Reply Last reply Reply Quote 0
                  • scottalanmillerS
                    scottalanmiller @WLS-ITGuy
                    last edited by

                    @WLS-ITGuy said in Wide ransomware virus infection sourced from 3rd party IT's remote agents.:

                    @Fredtx said in Wide ransomware virus infection sourced from 3rd party IT's remote agents.:

                    @scottalanmiller said in Wide ransomware virus infection sourced from 3rd party IT's remote agents.:

                    @Fredtx how did it get determined that it was their agents that did it and not just a coincidence or something?

                    We received several support calls from the whole Oregon area and that was one of the common denominators for all the computers that were infected with that variant. I for one hand did not work with the customer, but that's what our techs saw and found. Tbh, I'm trying to understand how that could happen when most of the ransomware cases involves a self executable file.

                    If it was a vulnerability in the agent wouldn't that fall on the responsibility of the MSP's software vendor?

                    Yes and no. Certainly core responsibility would fall there, but there is also a selection responsibility from the MSP's side of things, too. You can't willfully choose tools irresponsibly and not be accountable. Not that they did, we don't know anything here. Just saying that bad software doesn't excuse the IT team that chose it.

                    As IT people, recommending and choosing good products is a huge part of what we are responsible for.

                    1 Reply Last reply Reply Quote 0
                    • scottalanmillerS
                      scottalanmiller @Fredtx
                      last edited by

                      @Fredtx said in Wide ransomware virus infection sourced from 3rd party IT's remote agents.:

                      @scottalanmiller said in Wide ransomware virus infection sourced from 3rd party IT's remote agents.:

                      @Fredtx how did it get determined that it was their agents that did it and not just a coincidence or something?

                      We received several support calls from the whole Oregon area and that was one of the common denominators for all the computers that were infected with that variant. I for one hand did not work with the customer, but that's what our techs saw and found. Tbh, I'm trying to understand how that could happen when most of the ransomware cases involves a self executable file.

                      So many different MSPs, but they all shared one tool?

                      FredtxF 1 Reply Last reply Reply Quote 0
                      • scottalanmillerS
                        scottalanmiller @dafyre
                        last edited by

                        @dafyre said in Wide ransomware virus infection sourced from 3rd party IT's remote agents.:

                        @Fredtx said in Wide ransomware virus infection sourced from 3rd party IT's remote agents.:

                        @WLS-ITGuy said in Wide ransomware virus infection sourced from 3rd party IT's remote agents.:

                        @Fredtx said in Wide ransomware virus infection sourced from 3rd party IT's remote agents.:

                        @scottalanmiller said in Wide ransomware virus infection sourced from 3rd party IT's remote agents.:

                        @Fredtx how did it get determined that it was their agents that did it and not just a coincidence or something?

                        We received several support calls from the whole Oregon area and that was one of the common denominators for all the computers that were infected with that variant. I for one hand did not work with the customer, but that's what our techs saw and found. Tbh, I'm trying to understand how that could happen when most of the ransomware cases involves a self executable file.

                        If it was a vulnerability in the agent wouldn't that fall on the responsibility of the MSP's software vendor?

                        Good point. I also wonder if they were using 2 way authentication as it provides another layer of security.

                        That would protect against a breached password, but if the vulnerability lies in the agent, I don't think 2FA would matter.

                        That's correct, it would not.

                        1 Reply Last reply Reply Quote 0
                        • FredtxF
                          Fredtx @scottalanmiller
                          last edited by

                          @scottalanmiller said in Wide ransomware virus infection sourced from 3rd party IT's remote agents.:

                          @Fredtx said in Wide ransomware virus infection sourced from 3rd party IT's remote agents.:

                          @scottalanmiller said in Wide ransomware virus infection sourced from 3rd party IT's remote agents.:

                          @Fredtx how did it get determined that it was their agents that did it and not just a coincidence or something?

                          We received several support calls from the whole Oregon area and that was one of the common denominators for all the computers that were infected with that variant. I for one hand did not work with the customer, but that's what our techs saw and found. Tbh, I'm trying to understand how that could happen when most of the ransomware cases involves a self executable file.

                          So many different MSPs, but they all shared one tool?

                          It was only one MSP (PM Consultants) who’s agent spread the infection to their own customers. Their customers called our support desperate for help.

                          scottalanmillerS 1 Reply Last reply Reply Quote 0
                          • scottalanmillerS
                            scottalanmiller @Fredtx
                            last edited by

                            @Fredtx said in Wide ransomware virus infection sourced from 3rd party IT's remote agents.:

                            @scottalanmiller said in Wide ransomware virus infection sourced from 3rd party IT's remote agents.:

                            @Fredtx said in Wide ransomware virus infection sourced from 3rd party IT's remote agents.:

                            @scottalanmiller said in Wide ransomware virus infection sourced from 3rd party IT's remote agents.:

                            @Fredtx how did it get determined that it was their agents that did it and not just a coincidence or something?

                            We received several support calls from the whole Oregon area and that was one of the common denominators for all the computers that were infected with that variant. I for one hand did not work with the customer, but that's what our techs saw and found. Tbh, I'm trying to understand how that could happen when most of the ransomware cases involves a self executable file.

                            So many different MSPs, but they all shared one tool?

                            It was only one MSP (PM Consultants) who’s agent spread the infection to their own customers. Their customers called our support desperate for help.

                            What agent was it? Knowing which program was compromised is a big deal, those agents are hosted by the vendor 99% of the time.

                            FredtxF 1 Reply Last reply Reply Quote 2
                            • FredtxF
                              Fredtx @scottalanmiller
                              last edited by

                              @scottalanmiller said in Wide ransomware virus infection sourced from 3rd party IT's remote agents.:

                              @Fredtx said in Wide ransomware virus infection sourced from 3rd party IT's remote agents.:

                              @scottalanmiller said in Wide ransomware virus infection sourced from 3rd party IT's remote agents.:

                              @Fredtx said in Wide ransomware virus infection sourced from 3rd party IT's remote agents.:

                              @scottalanmiller said in Wide ransomware virus infection sourced from 3rd party IT's remote agents.:

                              @Fredtx how did it get determined that it was their agents that did it and not just a coincidence or something?

                              We received several support calls from the whole Oregon area and that was one of the common denominators for all the computers that were infected with that variant. I for one hand did not work with the customer, but that's what our techs saw and found. Tbh, I'm trying to understand how that could happen when most of the ransomware cases involves a self executable file.

                              So many different MSPs, but they all shared one tool?

                              It was only one MSP (PM Consultants) who’s agent spread the infection to their own customers. Their customers called our support desperate for help.

                              What agent was it? Knowing which program was compromised is a big deal, those agents are hosted by the vendor 99% of the time.

                              I was told it was Connect Wise.

                              JaredBuschJ 1 Reply Last reply Reply Quote 1
                              • JaredBuschJ
                                JaredBusch @Fredtx
                                last edited by

                                @Fredtx said in Wide ransomware virus infection sourced from 3rd party IT's remote agents.:

                                @scottalanmiller said in Wide ransomware virus infection sourced from 3rd party IT's remote agents.:

                                @Fredtx said in Wide ransomware virus infection sourced from 3rd party IT's remote agents.:

                                @scottalanmiller said in Wide ransomware virus infection sourced from 3rd party IT's remote agents.:

                                @Fredtx said in Wide ransomware virus infection sourced from 3rd party IT's remote agents.:

                                @scottalanmiller said in Wide ransomware virus infection sourced from 3rd party IT's remote agents.:

                                @Fredtx how did it get determined that it was their agents that did it and not just a coincidence or something?

                                We received several support calls from the whole Oregon area and that was one of the common denominators for all the computers that were infected with that variant. I for one hand did not work with the customer, but that's what our techs saw and found. Tbh, I'm trying to understand how that could happen when most of the ransomware cases involves a self executable file.

                                So many different MSPs, but they all shared one tool?

                                It was only one MSP (PM Consultants) who’s agent spread the infection to their own customers. Their customers called our support desperate for help.

                                What agent was it? Knowing which program was compromised is a big deal, those agents are hosted by the vendor 99% of the time.

                                I was told it was Connect Wise.

                                Old and Unpatched, or weak passwords then.

                                scottalanmillerS 1 Reply Last reply Reply Quote 1
                                • scottalanmillerS
                                  scottalanmiller @JaredBusch
                                  last edited by

                                  @JaredBusch said in Wide ransomware virus infection sourced from 3rd party IT's remote agents.:

                                  @Fredtx said in Wide ransomware virus infection sourced from 3rd party IT's remote agents.:

                                  @scottalanmiller said in Wide ransomware virus infection sourced from 3rd party IT's remote agents.:

                                  @Fredtx said in Wide ransomware virus infection sourced from 3rd party IT's remote agents.:

                                  @scottalanmiller said in Wide ransomware virus infection sourced from 3rd party IT's remote agents.:

                                  @Fredtx said in Wide ransomware virus infection sourced from 3rd party IT's remote agents.:

                                  @scottalanmiller said in Wide ransomware virus infection sourced from 3rd party IT's remote agents.:

                                  @Fredtx how did it get determined that it was their agents that did it and not just a coincidence or something?

                                  We received several support calls from the whole Oregon area and that was one of the common denominators for all the computers that were infected with that variant. I for one hand did not work with the customer, but that's what our techs saw and found. Tbh, I'm trying to understand how that could happen when most of the ransomware cases involves a self executable file.

                                  So many different MSPs, but they all shared one tool?

                                  It was only one MSP (PM Consultants) who’s agent spread the infection to their own customers. Their customers called our support desperate for help.

                                  What agent was it? Knowing which program was compromised is a big deal, those agents are hosted by the vendor 99% of the time.

                                  I was told it was Connect Wise.

                                  Old and Unpatched, or weak passwords then.

                                  Likely. Attach probably came through an MSP workstation.

                                  1 Reply Last reply Reply Quote 1
                                  • 1 / 1
                                  • First post
                                    Last post