Ransomware gang hacks MSPs to deploy ransomware on customer systems

Hackers breach MSPs and use Webroot SecureAnywhere console to infect customer PCs with the Sodinokibi ransomware.

Ransomware attacks up their game _ and ransom demands The average ransom demand is up to almost $13,000, compared with $6,700 just a few months ago.

A ransomware gang has breached the infrastructure of at least three managed service providers (MSPs) and has used the remote management tools at their dispossal, namely the Webroot SecureAnywhere console, to deploy ransomware on the MSPs' customers systems.

The ransomware infections were first reported today in a Reddit section dedicated to MSPs -- companies that provide remote IT services and support to companies across the world.

Kyle Hanslovan, co-founder and CEO of Huntress Lab, was online and helped some of the impacted MSPs investigate the incidents.

Hackers got in via RDP

Hanslovan said hackers breached MSPs via exposed RDP (Remote Desktop Endpoints), elevated privileges inside compromised systems, and manually uninstalled AV products, such as ESET and Webroot.

In the next stage of the attack, the hackers searched for accounts for Webroot SecureAnywhere, remote management software (console) used by MSPs to manage remotely-located workstations (in the network of their customers).

According to Hanslovan, the hackers used the console to execute a Powershell script on remote workstations; script that downloaded and installed the Sodinokibi ransomware.

The Huntress Lab CEO said at least three MSPs had been hacked this way. Some Reddit users also reported that in some cases, hackers might have also used the Kaseya VSA remote management console, but this was never formally confirmed.

"Two companies mentioned only the hosts running Webroot were infected," Hanslovan said. "Considering Webroot's management console allows administrators to remotely download and execute files to endpoints, this seems like a plausible attack vector."

Webroot deploys 2FA for SecureAnywhere accounts

Later in the day, Webroot began forcibly enabling two-factor authentication (2FA) for SecureAnywhere accounts, according to an email Hanslovan received, hoping to prevent hackers from using any other potentially hijacked accounts to deploy new ransomware throughout the day.

SecureAnywhere supports 2FA, which is enabled by default for all users, but some users had apparently turned it off. In the email, the company said it would re-enable 2FA, without the option for users to disable it.

"Recently, Webroot's Advanced Malware Removal team discovered that a small number of customers were impacted by a threat actor exploiting a combination of customers' weak cyber hygiene practices around authentication and RDP," Chad Bacher, SVP of Products, WEBROOT, a Carbonite company, told ZDNet via email.

"To ensure the best protection for the entire Webroot customer community, we decided it is time to make two-factor authentication mandatory. We did this by conducting a console logout and software update the morning of June 20," he added.

"We all know that two-factor authentication (2FA) is a cyber hygiene best practice, and we've encouraged customers to use the Webroot Management Console's built-in 2FA for some time. We are always closely monitoring the threat environment, and will continue to take proactive measures like this to provide the best protection possible for customers."

Webroot email for enabling 2FA

Image: Kyle Hanslovan

The Sodinokibi ransomware is a relatively new ransomware strain, discovered in late April. At the time, a threat actor was using an Oracle WebLogic zero-day to hack into company networks and deploy the ransomware.

Today's incident is also the second major wave of attacks during which hackers abused MSPs and their remote management tools to deploy ransomware on their customers' networks.

The first incident happened in mid-February when a hacker group used vulnerabilities in commonly-used MSP tools to deploy the GandCrab ransomware on customers' workstations.

Coincidentally, at the time this incident was being detailed on Reddit, local media in Romania was reporting that five hospitals had been infected with ransomware in Bucharest, the country's capital. However, there is no evidence that the two events are linked, outside the infection timeframe.

Article updated with Webroot statement.

Related malware and cybercrime coverage: