GandCrab Ransomware Campaign Targets MSPs

Hackers have launched a new GandCrab ransomware campaign targeting managed service providers (MSPs) and IT support companies.

GandCrab ransomware is a popular variant of ransomware. It became popular for hackers to utilise as Ransomware-as-a-Service (Raas). RaaS allows even novice cybercriminals to launch ransomware campaigns and earn commission for the use of this ransomware.

MSPs are often used by small and medium businesses (SMBs) that have insufficient resources to create and manage their cybersecurity frameworks. MSPs perform a range of functions such as patching, performing software updates, proactively finding security issues, and correcting problems in networks.

As MSPs work remotely, SMBs give them access to the SMBs’ entire network. This access results in MSPs becoming attractive targets for hackers. If a hacker launches just one successful attack on an MSP, they could not only infect the MSP computers but their clients as well, potentially reaching thousands of devices. This could result in a substantial profit for the hacker for relatively little work.

Hackers have seized this opportunity, and several threat actors have targeted MSPs in recent times. The latest attack campaign has caused significant damage to multiple MSPs. In an attempt to raise awareness of the campaign, two MSPs posted on Reddit to explain that they had been attacked and ransomware was deployed on their clients’ networks. In one case, around 80% of client devices had ransomware installed, and in the second case, around 15% of clients were attacked.  

The hackers have designed the latest attacks to take advantage of MSPs who have failed to patch a vulnerability in the Kaseya VSA plugin for ConnectWise. The plugin allows the Kaseya remote management and monitoring solution to be linked to the ConnectWise dashboard.

The vulnerability exploited in the attack (CVE-2017-18362) was discovered in late 2017. If a hacker exploits the vulnerability, they can perform actions on a Kaseya server without authentication.

Soon after the publication of a PoC for the vulnerability, ConnectWise released an updated plugin which addressed the flaw. Despite the patch being issued in November 2017, several MSPs have not applied the patch and are vulnerable to attack. Kaseya said it had detected 126 MSPs who have yet to upgrade to the secure version of the plugin.

Kaseya notes that this is an issue with the ConnectWise API rather than Kaseya VSA, and advises all Connectwise users with the plugin installed on their on-premise VSA to ensure they are running the latest version of the plugin and have deleted the old connector. Connectwise has released a tool that will scan for installed versions of the vulnerable plugin.

Although this attack utilises ransomware, it is possible that other threat actors have already exploited the vulnerability. All MSPs should, therefore, conduct an audit of their VSA server to determine whether hackers have already compromised the server.