When more than 20 local governments in Texas were hit this summer by ransomware in one day. The attack was apparently tracked back to one thing the organizations had in common: a managed service provider. With limited IT resources of their own, local governments have increasingly turned to MSPs to operate significant portions of their networks and applications, as have other organizations and businesses—often placing critical parts of their business operations in the MSPs' hands. And that has made MSPs a very attractive target to ransomware operators.
Threat researchers at the global cloud security provider Armor have been tracking publicly-reported incidents in which MSP and cloud service providers have been hit with ransomware. Thus far, they have documented 13 such incidents this year—with 6 of them reported in the past few months.
The most recent publicly exposed victim is Billtrust, which as security journalist Brian Krebs reported, was hit by what BleepingComputer reported was BitPaymer ransomware (a report that has not been confirmed). BillTrust is an online invoicing and billing provider based in New Jersey that also provides credit decision services. Billtrust executives sent an email to customers on October 22, informing them of the attack, stating:
Our standard security and back-up procedures have been and remain instrumental in our ability to execute the ongoing restoration of services… Out of an abundance of caution, we cannot disclose the precise ransomware strains but will do so as soon as prudently possible.
Other victims include:
- SchoolinSites, a cloud-based service provider for school districts that offered websites and parental access to student information, was taken down in an attack in September as reported by WKRG in Mobile, Alabama. The company's email was affected as well as other communications; SchoolinSites had to use Facebook to provide updates during the outage, which began on September 23.
- TrialWorks, a Florida-based case management software provider, was hit by a ransomware attack the week of October 14. The company, which serves about 2,500 law firms, acknowledged the ransomware attack and said that, while it did not impact their software, about 5% of the company's customers could not access their accounts.
- California-based MetroList, a real estate multiple listing and application services firm with about 20,000 real estate broker customers, was hit by ransomware in June, taking the company's services offline for two days. MetroList reportedly paid the ransom, which included a $10,000 insurance deductible.
- Also on October 14, Read More – Source
