True North Networks Blog
Ransomware: MSP Pays Hackers $150,000 to Unlock Data
MSP pays hackers over $150,000 in bitcoin for ransomware attack recovery. Hackers apparently leveraged stoeln credentials to access RMM and cybersecurity software.
An MSP bowed to hacker demands and paid more than $150,000 to recover data after a ransomware attack, UBX Cloudasserts without revealing the managed IT service provider’s company name.
The hackers targeted RMM (remote monitoring and management) software and a cybersecurity management dashboard to infiltrate MSP systems and extend ransomware out to end-customer systems, MSSP Alert has previously reported.
The attack involved compromised credentials rather than any type of breach or product compromise, Webroot and Kaseyaboth determined. As an added precaution, Webroot has now made two-factor authentication mandatory.
In a follow-up report about the attack, UBX Cloud asserted:
“Roughly 30% of the end-user systems impacted by the attack were quickly recoverable because the victim of the attack utilized UBX Cloud’s Veeam-powered air-gapped offsite backups, which allowed those users to recover their systems in less than 30 minutes. However, recovering the remaining 70% of the impacted systems cost the MSP over $150,000 in bitcoin to gain access to the decryption keys, required to recover the data that was not protected by air-gapped backups.”
UBX Cloud did not mention the MSP by name, nor did the company say if the MSP successfully decrypted the data. At least three MSPs were hit by the attack, according to research from Huntress Labs. The victims included IT By Design, according to CRN.
The MSP’s ransomware payment comes only a few days after the city of Riviera Beach, Florida, paid hackers $600,000 to unlock its ransomware-infected systems.
Hackers Target MSPs: FBI Warning
This latest ransomware attack and MSP payment raises fresh cybersecurity concerns across the managed IT services provider ecosystem.
Hackers have repeatedly targeted RMM, remote access, remote control and cybersecurity software as a springboard into end-customer systems. Many of the attacks have involved compromised credentials (i.e, user names and passwords) rather than product vulnerabilities. The FBI and U.S. Department of Homeland Security have repeatedly warned MSPs and their technology platform providers about such attacks.
Amid that reality, technology vendors have called on MSPs to leverage the NIST Cybersecurity Framework to identify and mitigate cyber risk.