Protek Support MSP Ransomware Hits Customers in Salt Lake City, Utah
-
@RojoLoco said in Protek Support MSP Ransomware Hits Customers in Salt Lake City, Utah:
@EddieJennings said in Protek Support MSP Ransomware Hits Customers in Salt Lake City, Utah:
@RojoLoco said in Protek Support MSP Ransomware Hits Customers in Salt Lake City, Utah:
@Reid-Cooper I would NEVER hire or even consider an MSP that paid a ransom. That means they are incapable or unwilling to make and test backups, so that's a hard no.
I've seen a situation where the ransomware ate most of the backups.
True, that is entirely possible... but the other part of paying the ransom is that you're really just painting a big bullseye on yourself. Once the bad guys know you will pay, the spearphishing will increase dramatically. I wouldn't hire an MSP that was a known ransom payer.
Absolutely. Not only do you paint a target on yourself, but you justify the attack, and fund further attacks and research. It is bad all around.
Plus there is the huge risk that you pay and they don't release the files anyway.
-
Wonder if their RMM was the attack vector with that known ConnectWise / Kaseya depreciated integration?
-
@SmithErick said in Protek Support MSP Ransomware Hits Customers in Salt Lake City, Utah:
Wonder if their RMM was the attack vector with that known ConnectWise / Kaseya depreciated integration?
I would guess it is a decent chance.
-
Received my Cyberheist email from KnowBe4 about an hour ago and one article confirms that it was ConnectWise / Kaseya vulnerability from 2017 that was the vector.
-
@pmoncho said in Protek Support MSP Ransomware Hits Customers in Salt Lake City, Utah:
Received my Cyberheist email from KnowBe4 about an hour ago and one article confirms that it was ConnectWise / Kaseya vulnerability from 2017 that was the vector.
We had a thread about that last week here on ML. We know that ConnectWise had vulnerable DLLs on their Windows installs. But we don't know if that was the case here. But we do know that they advertise publicly that they use some ConnectWise stuff, so the chances are relatively high.
-
@scottalanmiller said in Protek Support MSP Ransomware Hits Customers in Salt Lake City, Utah:
@pmoncho said in Protek Support MSP Ransomware Hits Customers in Salt Lake City, Utah:
Received my Cyberheist email from KnowBe4 about an hour ago and one article confirms that it was ConnectWise / Kaseya vulnerability from 2017 that was the vector.
We had a thread about that last week here on ML. We know that ConnectWise had vulnerable DLLs on their Windows installs. But we don't know if that was the case here. But we do know that they advertise publicly that they use some ConnectWise stuff, so the chances are relatively high.
Yeah, I saw that.
What I found interesting was that a source stated that the update was either not installed or not installed "correctly." What is "not installing correctly" with regards to Connectwise?
-
@pmoncho said in Protek Support MSP Ransomware Hits Customers in Salt Lake City, Utah:
@scottalanmiller said in Protek Support MSP Ransomware Hits Customers in Salt Lake City, Utah:
@pmoncho said in Protek Support MSP Ransomware Hits Customers in Salt Lake City, Utah:
Received my Cyberheist email from KnowBe4 about an hour ago and one article confirms that it was ConnectWise / Kaseya vulnerability from 2017 that was the vector.
We had a thread about that last week here on ML. We know that ConnectWise had vulnerable DLLs on their Windows installs. But we don't know if that was the case here. But we do know that they advertise publicly that they use some ConnectWise stuff, so the chances are relatively high.
Yeah, I saw that.
What I found interesting was that a source stated that the update was either not installed or not installed "correctly." What is "not installing correctly" with regards to Connectwise?
Good question. How does Connectwise get "installed incorrectly" that puts it at risk? And why do they make it so easy to do that someone actually did?
-
Does ConnectWise come with a default set of credentials to use and access that
needsshould to be changed once the installation is complete? -
@DustinB3403 said in Protek Support MSP Ransomware Hits Customers in Salt Lake City, Utah:
Does ConnectWise come with a default set of credentials to use and access that
needsshould to be changed once the installation is complete?Not the ConnectWise products that we use, but don't know about their broader suites.
-
@DustinB3403 said in Protek Support MSP Ransomware Hits Customers in Salt Lake City, Utah:
@proteksupport now is your chance to clear things up. Otherwise we have to assume the information posted in the OP at least as some basis in truth.
Still waiting to hear what part of direct reports is untrue. We will certainly take any claims to the client to verify. But we need to know which piece(s) Protek is claiming were not true. Because it's all first hand info.
-
That page is now mysteriously gone.
-
@IRJ LOL, we had actually been giggling about that the other day
-
@Reid-Cooper said in Protek Support MSP Ransomware Hits Customers in Salt Lake City, Utah:
Looks like up until a few days ago they were really active on Twitter. And then went silent around when the supposed issue began.
https://twitter.com/proteksupport
Their last posts before going silent were all about security and avoiding things like ransomware.
Just checked it again, still silent. Pretty suspicious.
-
A second customer of Protek came forward and confirmed the ransomware situation. So definitely looking for Protek to respond with what part of the customers' statements is not true.
-
So they are sending this to customers, while still claiming it isn't true?
-
@scottalanmiller said in Protek Support MSP Ransomware Hits Customers in Salt Lake City, Utah:
So they are sending this to customers, while still claiming it isn't true?
Do we know if the cause of the ransomware hit to these places were due to Protek, or that they just happen to be protek customers, or a 3rd party service for example that protek uses for it's customers? Or was Protek itself hacked, and therefore customers networks exposed....?
What's really going on?
-
@Obsolesce said in Protek Support MSP Ransomware Hits Customers in Salt Lake City, Utah:
@scottalanmiller said in Protek Support MSP Ransomware Hits Customers in Salt Lake City, Utah:
So they are sending this to customers, while still claiming it isn't true?
Do we know if the cause of the ransomware hit to these places were due to Protek, or that they just happen to be protek customers, or a 3rd party service for example that protek uses for it's customers? Or was Protek itself hacked, and therefore customers networks exposed....?
What's really going on?
Protek isn't saying and they aren't responding here and their Twitter feed is silent since this happened. What we know for sure is that multiple (and rumor is "all") of their customers were hit at the same time. Whether or not Protek was hacked themselves, or was ransomed themselves we have no way to know.
We do know that Protek is the responsible party that had to pay the ransom, it was not coincidental that their customers were hit, it was a problem on the Protek side that caused or allowed it to happen. Protek was the vector through which it happened.
If it was a third party service, you'd expect the third party to have to have paid.
-
@scottalanmiller said in Protek Support MSP Ransomware Hits Customers in Salt Lake City, Utah:
@Obsolesce said in Protek Support MSP Ransomware Hits Customers in Salt Lake City, Utah:
@scottalanmiller said in Protek Support MSP Ransomware Hits Customers in Salt Lake City, Utah:
So they are sending this to customers, while still claiming it isn't true?
Do we know if the cause of the ransomware hit to these places were due to Protek, or that they just happen to be protek customers, or a 3rd party service for example that protek uses for it's customers? Or was Protek itself hacked, and therefore customers networks exposed....?
What's really going on?
Protek isn't saying and they aren't responding here and their Twitter feed is silent since this happened. What we know for sure is that multiple (and rumor is "all") of their customers were hit at the same time. Whether or not Protek was hacked themselves, or was ransomed themselves we have no way to know.
We do know that Protek is the responsible party that had to pay the ransom, it was not coincidental that their customers were hit, it was a problem on the Protek side that caused or allowed it to happen. Protek was the vector through which it happened.
If it was a third party service, you'd expect the third party to have to have paid.
Gotcha, makes sense now.
-
Now if only Protek would own up and admit what happened, we'd know some more. Without them willing to engage in a dialogue, everyone automatically kind of jumps to the worst possible case in their minds. Given that their remediation is not going well (that's how we found out about it, they weren't actively fixing affected customers for a while, and possibly not at all yet, we don't know) it seems like going public with an apology and explanation would be the best thing to do.
-
Just decided to check in on their Twitter feed again. Still nothing. Total silence since the issue began. No word if any customers have been restored yet.