Wide ransomware virus infection sourced from 3rd party IT's remote agents.

scottalanmiller

@Fredtx how did it get determined that it was their agents that did it and not just a coincidence or something?

Fredtx

@scottalanmiller said in Wide ransomware virus infection sourced from 3rd party IT's remote agents.:

@Fredtx how did it get determined that it was their agents that did it and not just a coincidence or something?

We received several support calls from the whole Oregon area and that was one of the common denominators for all the computers that were infected with that variant. I for one hand did not work with the customer, but that's what our techs saw and found. Tbh, I'm trying to understand how that could happen when most of the ransomware cases involves a self executable file.

WLS-ITGuy

@Fredtx said in Wide ransomware virus infection sourced from 3rd party IT's remote agents.:

@scottalanmiller said in Wide ransomware virus infection sourced from 3rd party IT's remote agents.:

@Fredtx how did it get determined that it was their agents that did it and not just a coincidence or something?

We received several support calls from the whole Oregon area and that was one of the common denominators for all the computers that were infected with that variant. I for one hand did not work with the customer, but that's what our techs saw and found. Tbh, I'm trying to understand how that could happen when most of the ransomware cases involves a self executable file.

If it was a vulnerability in the agent wouldn't that fall on the responsibility of the MSP's software vendor?

Fredtx

@WLS-ITGuy said in Wide ransomware virus infection sourced from 3rd party IT's remote agents.:

@Fredtx said in Wide ransomware virus infection sourced from 3rd party IT's remote agents.:

@scottalanmiller said in Wide ransomware virus infection sourced from 3rd party IT's remote agents.:

@Fredtx how did it get determined that it was their agents that did it and not just a coincidence or something?

We received several support calls from the whole Oregon area and that was one of the common denominators for all the computers that were infected with that variant. I for one hand did not work with the customer, but that's what our techs saw and found. Tbh, I'm trying to understand how that could happen when most of the ransomware cases involves a self executable file.

If it was a vulnerability in the agent wouldn't that fall on the responsibility of the MSP's software vendor?

Good point. I also wonder if they were using 2 way authentication as it provides another layer of security.

dafyre

@Fredtx said in Wide ransomware virus infection sourced from 3rd party IT's remote agents.:

@WLS-ITGuy said in Wide ransomware virus infection sourced from 3rd party IT's remote agents.:

@Fredtx said in Wide ransomware virus infection sourced from 3rd party IT's remote agents.:

@scottalanmiller said in Wide ransomware virus infection sourced from 3rd party IT's remote agents.:

@Fredtx how did it get determined that it was their agents that did it and not just a coincidence or something?

We received several support calls from the whole Oregon area and that was one of the common denominators for all the computers that were infected with that variant. I for one hand did not work with the customer, but that's what our techs saw and found. Tbh, I'm trying to understand how that could happen when most of the ransomware cases involves a self executable file.

If it was a vulnerability in the agent wouldn't that fall on the responsibility of the MSP's software vendor?

Good point. I also wonder if they were using 2 way authentication as it provides another layer of security.

That would protect against a breached password, but if the vulnerability lies in the agent, I don't think 2FA would matter.

Dashrender

@dafyre said in Wide ransomware virus infection sourced from 3rd party IT's remote agents.:

@Fredtx said in Wide ransomware virus infection sourced from 3rd party IT's remote agents.:

@WLS-ITGuy said in Wide ransomware virus infection sourced from 3rd party IT's remote agents.:

@Fredtx said in Wide ransomware virus infection sourced from 3rd party IT's remote agents.:

@scottalanmiller said in Wide ransomware virus infection sourced from 3rd party IT's remote agents.:

@Fredtx how did it get determined that it was their agents that did it and not just a coincidence or something?

We received several support calls from the whole Oregon area and that was one of the common denominators for all the computers that were infected with that variant. I for one hand did not work with the customer, but that's what our techs saw and found. Tbh, I'm trying to understand how that could happen when most of the ransomware cases involves a self executable file.

If it was a vulnerability in the agent wouldn't that fall on the responsibility of the MSP's software vendor?

Good point. I also wonder if they were using 2 way authentication as it provides another layer of security.

That would protect against a breached password, but if the vulnerability lies in the agent, I don't think 2FA would matter.

Yeps, just like the vulnerability in RDP a few weeks ago is in the protocol, has nothing to do with the password - it's simply bypassed.

scottalanmiller

@WLS-ITGuy said in Wide ransomware virus infection sourced from 3rd party IT's remote agents.:

@Fredtx said in Wide ransomware virus infection sourced from 3rd party IT's remote agents.:

@scottalanmiller said in Wide ransomware virus infection sourced from 3rd party IT's remote agents.:

@Fredtx how did it get determined that it was their agents that did it and not just a coincidence or something?

We received several support calls from the whole Oregon area and that was one of the common denominators for all the computers that were infected with that variant. I for one hand did not work with the customer, but that's what our techs saw and found. Tbh, I'm trying to understand how that could happen when most of the ransomware cases involves a self executable file.

If it was a vulnerability in the agent wouldn't that fall on the responsibility of the MSP's software vendor?

Yes and no. Certainly core responsibility would fall there, but there is also a selection responsibility from the MSP's side of things, too. You can't willfully choose tools irresponsibly and not be accountable. Not that they did, we don't know anything here. Just saying that bad software doesn't excuse the IT team that chose it.

As IT people, recommending and choosing good products is a huge part of what we are responsible for.

scottalanmiller

@Fredtx said in Wide ransomware virus infection sourced from 3rd party IT's remote agents.:

@scottalanmiller said in Wide ransomware virus infection sourced from 3rd party IT's remote agents.:

@Fredtx how did it get determined that it was their agents that did it and not just a coincidence or something?

We received several support calls from the whole Oregon area and that was one of the common denominators for all the computers that were infected with that variant. I for one hand did not work with the customer, but that's what our techs saw and found. Tbh, I'm trying to understand how that could happen when most of the ransomware cases involves a self executable file.

So many different MSPs, but they all shared one tool?

scottalanmiller

@dafyre said in Wide ransomware virus infection sourced from 3rd party IT's remote agents.:

@Fredtx said in Wide ransomware virus infection sourced from 3rd party IT's remote agents.:

@WLS-ITGuy said in Wide ransomware virus infection sourced from 3rd party IT's remote agents.:

@Fredtx said in Wide ransomware virus infection sourced from 3rd party IT's remote agents.:

@scottalanmiller said in Wide ransomware virus infection sourced from 3rd party IT's remote agents.:

@Fredtx how did it get determined that it was their agents that did it and not just a coincidence or something?

We received several support calls from the whole Oregon area and that was one of the common denominators for all the computers that were infected with that variant. I for one hand did not work with the customer, but that's what our techs saw and found. Tbh, I'm trying to understand how that could happen when most of the ransomware cases involves a self executable file.

If it was a vulnerability in the agent wouldn't that fall on the responsibility of the MSP's software vendor?

Good point. I also wonder if they were using 2 way authentication as it provides another layer of security.

That would protect against a breached password, but if the vulnerability lies in the agent, I don't think 2FA would matter.

That's correct, it would not.

Fredtx

@scottalanmiller said in Wide ransomware virus infection sourced from 3rd party IT's remote agents.:

@Fredtx said in Wide ransomware virus infection sourced from 3rd party IT's remote agents.:

@scottalanmiller said in Wide ransomware virus infection sourced from 3rd party IT's remote agents.:

@Fredtx how did it get determined that it was their agents that did it and not just a coincidence or something?

We received several support calls from the whole Oregon area and that was one of the common denominators for all the computers that were infected with that variant. I for one hand did not work with the customer, but that's what our techs saw and found. Tbh, I'm trying to understand how that could happen when most of the ransomware cases involves a self executable file.

So many different MSPs, but they all shared one tool?

It was only one MSP (PM Consultants) who’s agent spread the infection to their own customers. Their customers called our support desperate for help.

scottalanmiller

@Fredtx said in Wide ransomware virus infection sourced from 3rd party IT's remote agents.:

@scottalanmiller said in Wide ransomware virus infection sourced from 3rd party IT's remote agents.:

@Fredtx said in Wide ransomware virus infection sourced from 3rd party IT's remote agents.:

@scottalanmiller said in Wide ransomware virus infection sourced from 3rd party IT's remote agents.:

@Fredtx how did it get determined that it was their agents that did it and not just a coincidence or something?

We received several support calls from the whole Oregon area and that was one of the common denominators for all the computers that were infected with that variant. I for one hand did not work with the customer, but that's what our techs saw and found. Tbh, I'm trying to understand how that could happen when most of the ransomware cases involves a self executable file.

So many different MSPs, but they all shared one tool?

It was only one MSP (PM Consultants) who’s agent spread the infection to their own customers. Their customers called our support desperate for help.

What agent was it? Knowing which program was compromised is a big deal, those agents are hosted by the vendor 99% of the time.

Fredtx

@scottalanmiller said in Wide ransomware virus infection sourced from 3rd party IT's remote agents.:

@Fredtx said in Wide ransomware virus infection sourced from 3rd party IT's remote agents.:

@scottalanmiller said in Wide ransomware virus infection sourced from 3rd party IT's remote agents.:

@Fredtx said in Wide ransomware virus infection sourced from 3rd party IT's remote agents.:

@scottalanmiller said in Wide ransomware virus infection sourced from 3rd party IT's remote agents.:

@Fredtx how did it get determined that it was their agents that did it and not just a coincidence or something?

We received several support calls from the whole Oregon area and that was one of the common denominators for all the computers that were infected with that variant. I for one hand did not work with the customer, but that's what our techs saw and found. Tbh, I'm trying to understand how that could happen when most of the ransomware cases involves a self executable file.

So many different MSPs, but they all shared one tool?

It was only one MSP (PM Consultants) who’s agent spread the infection to their own customers. Their customers called our support desperate for help.

What agent was it? Knowing which program was compromised is a big deal, those agents are hosted by the vendor 99% of the time.

I was told it was Connect Wise.

JaredBusch

@Fredtx said in Wide ransomware virus infection sourced from 3rd party IT's remote agents.:

@scottalanmiller said in Wide ransomware virus infection sourced from 3rd party IT's remote agents.:

@Fredtx said in Wide ransomware virus infection sourced from 3rd party IT's remote agents.:

@scottalanmiller said in Wide ransomware virus infection sourced from 3rd party IT's remote agents.:

@Fredtx said in Wide ransomware virus infection sourced from 3rd party IT's remote agents.:

@scottalanmiller said in Wide ransomware virus infection sourced from 3rd party IT's remote agents.:

@Fredtx how did it get determined that it was their agents that did it and not just a coincidence or something?

We received several support calls from the whole Oregon area and that was one of the common denominators for all the computers that were infected with that variant. I for one hand did not work with the customer, but that's what our techs saw and found. Tbh, I'm trying to understand how that could happen when most of the ransomware cases involves a self executable file.

So many different MSPs, but they all shared one tool?

It was only one MSP (PM Consultants) who’s agent spread the infection to their own customers. Their customers called our support desperate for help.

What agent was it? Knowing which program was compromised is a big deal, those agents are hosted by the vendor 99% of the time.

I was told it was Connect Wise.

Old and Unpatched, or weak passwords then.

scottalanmiller

@JaredBusch said in Wide ransomware virus infection sourced from 3rd party IT's remote agents.:

@Fredtx said in Wide ransomware virus infection sourced from 3rd party IT's remote agents.:

@scottalanmiller said in Wide ransomware virus infection sourced from 3rd party IT's remote agents.:

@Fredtx said in Wide ransomware virus infection sourced from 3rd party IT's remote agents.:

@scottalanmiller said in Wide ransomware virus infection sourced from 3rd party IT's remote agents.:

@Fredtx said in Wide ransomware virus infection sourced from 3rd party IT's remote agents.:

@scottalanmiller said in Wide ransomware virus infection sourced from 3rd party IT's remote agents.:

@Fredtx how did it get determined that it was their agents that did it and not just a coincidence or something?

We received several support calls from the whole Oregon area and that was one of the common denominators for all the computers that were infected with that variant. I for one hand did not work with the customer, but that's what our techs saw and found. Tbh, I'm trying to understand how that could happen when most of the ransomware cases involves a self executable file.

So many different MSPs, but they all shared one tool?

It was only one MSP (PM Consultants) who’s agent spread the infection to their own customers. Their customers called our support desperate for help.

What agent was it? Knowing which program was compromised is a big deal, those agents are hosted by the vendor 99% of the time.

I was told it was Connect Wise.

Old and Unpatched, or weak passwords then.

Likely. Attach probably came through an MSP workstation.