Guest Column | April 5, 2019

Why MSPs Are The Newest Targets Of Ransomware

By Ken Dwight, The Virus Doctor

2006 Pharmaceutical Online Blitz Images

Ever since the infamous CryptoLocker was released into the wild in September, 2013, encrypting ransomware has been one of the most widespread and most destructive forms of malware. It also has also been one of the most profitable for the criminals who distribute it and collect the ransoms demanded for the successful decryption of the data files on the affected computers and networks.

In recent months these malware producers have come to realize their efforts can generate even higher profits by targeting computers that are directly connected to multiple, attractive victims of an encrypting ransomware attack. These unwilling “connectors” are the MSPs who, in turn, are responsible for a wide range of small- to midsized businesses (SMBs) and their computer networks.

By infecting the MSP, the criminals gain a foothold in all of the organizations that MSP supports. Most MSPs manage their client companies through an RMM software tool that gives them always-on access to all of the computers in each of their supported organizations. If the attacker can compromise that RMM tool, they can then deploy their ransomware on every computer in every organization supported by that MSP.

For that matter, there is virtually no limit on the number and types of attacks that can be initiated, once the RMM has been compromised. It could be exfiltration of data, financial theft, Business Email Compromise (BEC, aka CEO Fraud), or whatever the criminal decides is the most profitable way to monetize that compromise.

But for the sake of this article, the focus will remain on encrypting ransomware. Because if you consider the fact that the MSP in effect holds the “keys to the kingdom” of their clients, there is a high likelihood that a ransomware attack will be successful.

Using the tools included or built into the RMM platform, the criminals can perform extensive reconnaissance on each client. They can map the network structure, computer names, and the drives, folders, and files accessed by each user. They can determine the various layers of security in place and formulate attack vectors that will avoid detection and blocking by those security devices and/or programs.

Perhaps most importantly, they can see the backup procedures that are in place and design an attack that will destroy or encrypt those backup files, in addition to the “live” data files and folders that are the primary target of the malicious encryption. Without those backups, the client organization may be left with fewer recovery options and is more likely to pay the ransom demanded in order to recover the encrypted data files and, quite possibly, save their business.

The recent wave of ransomware attacks on MSPs started in late January, 2019 and is most commonly distributing the GandCrab family of ransomware. The infection vector is a vulnerability that was first disclosed in November, 2017, involving two products that are frequently used by MSPs. These products are ConnectWise Manage and Kaseya VSA.

ConnectWise Manage, from ConnectWise, is a Professional Services Automation (PSA) product used by IT Support firms; the Kaseya VSA plugin allows companies to link data from the Kaseya VSA RMM solution to a ConnectWise dashboard. The actual vulnerability is in an older version of ManagedITSync, which is a plugin used to integrate ConnectWise with Kaseya.

The file that contains the vulnerability is ManagedIT.asmx. ConnectWise has issued an advisory that explains the problem in some detail, and they also have released a tool that can allow clients to scan their servers for the vulnerable plugin. A Google search for ManagedIT.asmx produces articles from many vendors and multiple sites with more details of this issue and its remediation. This thread on Reddit is one of the most extensive.

Research for this article came from several sources, and I would like to acknowledge the following organizations and publications for their help in distributing this information:

  • Lawrence Abrams, of Bleeping Computer, wrote an excellent article titled “Ransomware Attacks Target MSPs to Mass-Infect Customers.”  This article provides additional background information on the infection vector used, and includes quotes from Reddit, Coveware, Huntress Labs, ConnectWise, and the U. S. Department of Homeland Security.
  • Catalin Cimpanu wrote an article that appeared in ZDNet titled “GandCrab ransomware gang infects customers of remote IT support firms.”  This article includes numerous hyperlinks to help the reader “connect the dots” with the various pieces of this puzzle.
  • Finally, DHS Alert TA18-276B, titled “Advanced Persistent Threat Activity Exploiting Managed Service Providers,” gives this U. S. Government agency’s assessment of the issue.

By following the recommendations in these resources, you can protect your MSP against this potentially catastrophic threat to your client organizations.

About The Author

Ken Dwight has been a computer professional since 1966 (15 years before IBM introduced their Personal Computer). Since 2002 he has specialized in malware, as The Virus Doctor™. He is the creator of the Virus Remediation Training Workshop, training IT Support Techs in effective malware removal. Contact him at www.thevirusdoc.com.