6 New MSPs and/or Cloud-Based Service Providers Compromised by Ransomware, A Total of 13 for 2019, Reports Armor – Report

Armor, a global cloud security solutions provider, has identified 6 new Managed Service Providers (MSPs) and/or Cloud-Based Service Providers that have been compromised by ransomware, bringing the total number of publicly identified MSPs / Cloud-Based Service Provider victims in 2019 to 13.

6 New Ransomware Victim MSPs and/or Cloud-Based Service Providers Identified. They include:

• SchoolinSites—Saraland, Alabama.— In September, the provider of cloud-based education solutions to schools, including the management of numerous school websites, was hit by a ransomware attack that shut down all means of communication, including phones, e mail, and their HelpDesk. Also, many of the websites of the schools that contract with them went down, as a result of the ransomware attack. One of their customers affected was the Mobile, Alabama County Public School System whose website went down the weekend of September 23. According to a spokesperson for the Mobile County Public School System, many parents use their website to get important information about their children’s educational progress. Rena Philips with the school system said, “MCPSS.COM has gone down. It has not hit our internal servers or anything like that. This is strictly with our external website that is provided by a third party vendor, SCHOOLinSITES.”

While their systems were down, SCHOOLinSITES’ used Facebook to provide updates to their customers. Several local news outlets published the following statement on September 24 from the MSP:

“SCHOOLinSITES wants to update our customers that significant progress has been made against the ransomware attack against our company. While we do see a resolution in the near future, we cannot immediately put a timeline on it. We will post another update this evening, whether or not there is new information to share so that our loyal customers are aware we are working diligently to get their sites back online as soon as possible.”

• TrialWorks—Coral Gables, Florida— At almost the same time that Billtrust was being hit by a cyberattack, TrialWorks a Florida-based provider of a case management software platform serving 2,500 law firms, was suffering a ransomware incident. According to reports from numerous TrialWorks’ customers, they got hit the week of October 14, and as a result they were shut out of the TrialWorks’ software platform for several days and could not access their case files. TrialWorks reported that they recently suffered a ransomware incident and said that it did not affect their software but did prevent approximately 5% of their customers from accessing their accounts.
• MetroList — a California-based company that provides multiple listing services and computer services to 20,000 real estate brokers and agents. They got hit by ransomware in June, and they are reported to have paid a .$10,000 insurance deductible towards an undisclosed ransom payment. MetroList’s systems were down for two days.
• Unnamed MSP–On October 14, Magnolia Pediatrics of Louisiana reported that the network of their  IT Services Provider was compromised ,and a result they were hit by ransomware. As a result, their patient data was encrypted including the patient’s name, DOB, SSN, address, insurance information, patient clinical information, including diagnoses, lab results and medications. Magnolia Pediatrics stated that their IT Services Provider paid an undisclosed ransom, but they did not name the IT Services Provider.
• CorVel–California-based CorVel, a risk management solutions company for worker’s compensation, auto, health and disability management industries. The company reported that they were hit by the Ryuk ransomware in July. As a result, they had to take a number of systems offline, thus affecting their ability to process claims and their ability to communicate with their customers because the attack affected their phones system, email, and their healthcare provider lookups.
• Billtrust-– The most recent organization, to be hit by ransomware, is Billtrust, a New Jersey-based B2B order-to-cash solutions provider. Billtrust solutions is a third-party provider of customer invoicing and online bill payment They also provide solutions used to automate credit decisioning and monitoring, , cash application and collections. According to a news story from Brian Krebs, on October 22, Billtrust sent an email to Billtrust customers which read: “Our standard security and back-up procedures have been and remain instrumental in our ability to execute the ongoing restoration of services.” The email continued to say: “Out of an abundance of caution, we cannot disclose the precise ransomware strains but will do so as soon as prudently possible.”

Krebs’ also reported that on October 21^st he had an interview with BillTrust, CEO Steven Pinado, and that the company became aware of a malware intrusion on Thursday, Oct. 17 . Krebs reported: “Pinado said we’re aware of the malware and have been able to stop the activity within our systems. We immediately started focusing on control, remediation and protection. The impact of that was several systems were no longer available to our customers. We’ve been fighting the fight, working on restoring services and also digging into the root cause.”

Bleeping Computer, citing an unnamed source, said that the company had been infected with the BitPaymer ransomware. However, the company has not confirmed this to be the case. Also of note, recent news articles have reported that Pilz, a major German manufacturer of automation tools, was infected with the BitPaymer ransomware on October 13, 4 days before the reported ransomware attack against Billtrust.

Reaction from Armor TRU Team

“This uptick in successful ransomware attacks against MSPs and/or Cloud-Based Service Providers is a harsh reminder that organizations have to ensure that the third-party vendors they do business with are as equally protected against the current and emerging cyber threats, as they are,” said Chris Hinkley, Head of Armor’s Threat Resistance Unit (TRU)research team.  “This is especially true, because as we have seen, a successful ransomware attack against a MSP/Cloud-Based Service Provider can be debilitating to their customers, as well as to their own company, as the attack can quickly shut down key systems which the customers depend on to run their organization.”

”And of course, a ransomware attack against an MSP can be fatal, putting a MSP out of business, which appears to be the case with  PM Consultants, the Oregon-based IT consulting and IT support provider to dental practices, who after being hit by  ransomware in early July  subsequently shut their business down later that month, citing that they were doing so in part due to the ‘devastating event‘.”

Three of the Most Damaging Ransomware Attacks Against MSPs in 2019

What appears to be three of the most damaging ransomware attacks against MSPs in 2019, involved dental practices and municipalities.

PerCSoft, a Wisconsin-based MSP that offers technology solutions including computers, software, digital equipment, phone systems, and audio, suffered a ransomware attack in August that infected as many as 400 dental practices. The attack on PerCSoft encrypted patient files, emails and it even encrypted DDS Safe, the company’s HIPAA compliant online dental back-up system. The ransomware used in the attack has been identified as Sodin.

PM Consultants, an Oregon-based MSP, providing IT consulting services to dental practices including software updates and backups, was a victim of ransomware in July. It was reported that dental practice customers in Oregon and Washington were unable to access patient files. The company owners announced in late July in an email to their customers that they were shutting down their business, partially due to the ransomware incident. As of October 28, three months after the attack, PM Consultants’ website continues to be offline, and their phone is disconnected.

TSM Consulting, a Texas-based MSP which provides technical support and services to local government and law enforcement markets, suffered a notable ransomware attack in August that infected 22 municipalities at once. The attack on TSM Consulting resulted in city courts, police departments and county offices losing access to email, billing, and scheduling systems. The Sodin ransomware was said to be used in this attack.

The 13 MSPs/Cloud-Based Service Provider Ransomware Victims in 2019:

• Billtrust—Lawrence Township, New Jersey. Billtrust is a B2B order-to-cash solutions provider, offering customer invoicing and online bill payment, in addition to solutions which automate credit decisioning and monitoring, , cash application and collections.

They reported getting hit by ransomware on October 17 and as of October 21 were working to bring several remaining systems online for their customers.

• TrialWorks—Coral Gables, Florida— At almost the same time that Billtrust was being hit by a cyberattack, TrialWorks a Florida-based provider of a case management software platform serving 2,500 law firms, was suffering a ransomware incident. According to reports from numerous TrialWorks’ customers, they got hit the week of October 14, and as a result t=were shut out of the TrialWorks’ software platform for several days and could not access their case files. TrialWorks reported that they recently suffered a ransomware incident and said that it did not affect their software but did prevent approximately 5% of their customers from accessing their accounts.
• PM Consultants– Portland, Oregon. Hit in July 2019. They are an MSP providing IT consulting and support (including firewalls, software updates and data backups) for dental practices. It was reported that many of their customers (dental practices in Oregon and Washington) could not access their schedules and other files. As of October 23, three months after the attack, PM Consultants’ website is offline, and their phone is disconnected.
• iNSYNQ—Gig Harbor, Washington. Hit in April 2019. iNSYNQ Provides QuickBooks accounting services for accounting firms. The company took several of their servers offline to contain the infection. The attack impacted the data belonging to certain clients.
• CloudJumper— Garner, North Carolina. They were hit in May 2019. They are a Cloud Workspace- as- a- Service Provider. They were hit by the Ryuk Ransomware.
• PercSoft—West Allis, Wisconsin. Hit in  August 2019—400 of their dental practice customers were affected by the compromise of PercSoft. The Ransomware used in the attack has been identified as Sodin.
• TSM Consulting Services Inc.— Rockwall, Texas. Hit in August 2019.  The compromise of TSM Consulting resulting in 22 Texas municipalities getting hit with ransomware, which in turn caused city courts, police departments and county offices to lose access to email, billing, and scheduling systems. The Sodin ransomware was said to be used in this attack.
• IT By Design —Jersey City, NJ.   Hit in June 2019. The company provides MSP-ready talent to IT Solutions Providers. They offer organizations Dedicated Remote Engineers, 24x7x365 NOC services, and White Labeled Helpdesk solutions. As a result of the ransomware attack against them, 8 of their MSP customers were impacted for 48 hours.
• Unnamed IT Services Provider— On October 14, Magnolia Pediatrics of Louisiana reported that the network of their IT Services Provider was compromised ,and a result they were hit by ransomware. Their patient data was encrypted by the ransomware including the patient’s name, DOB, SSN, address, insurance information, patient clinical information, including diagnoses, lab results and medications. Magnolia Pediatrics stated that their IT Services Provider paid the ransom, but they did not state the amount or the name their IT Services Provider.
• MetroList—Sacramento, California. MetroList provides multiple listing services and computer services to 20,000 real estate brokers and agents. They got hit by ransomware in June, however, the news of the incident just came out the week of October 21. They are reported to have paid a $10,000 insurance deductible towards an undisclosed ransom payment. MetroList’s systems was down for two days.
• SchoolinSites—Saraland, Alabama.  SchoolinSites is a provider of cloud-based education solutions to schools, including the management of numerous school websites. In September they were hit by a ransomware attack that shut down all means of communication, including phones, e mail and their HelpDesk. Also, many of the websites of the schools that contract with them went down, as a result of the ransomware attack. One of their customers affected was the Mobile County Public School System whose website went down the weekend of September 23. A Mobile County Public School System’s spokesperson said that many parents use the school’s website to get important information about their children’s educational progress, however, they confirmed that the attack did not hit their internal servers, only their external website which is provided by SCHOOLinSITES.”

• CorVel— Irvine, California. They provide healthcare management services in support of worker’s compensation, auto,  liability, disability insurance and group health. The company reported that they had to take a number of systems offline affecting their ability to process claims, and to communicate with their customers. The attack affected their phones system, their email, and their healthcare provider lookups. They were hit by the Ryuk ransomware.
• Apex Human Capital Management—Roswell, Georgia. They are a cloud-based payroll software company that serves some 350 payroll service bureaus , providing them with payroll services to small and mid-sized businesses. According to a news article by Brian Krebs, they were hit by ransomware in mid-February, and the attack took all of its systems offline. The company told Krebs the “ransomware never touched customer data, but instead encrypted and disrupted everything in the company’s computer systems and at its off-site disaster recovery systems.” Apex Human Capital Management opted to pay the ransom but did not disclose the amount or the type of ransomware they were hit by.

Key Ransomware Statistics:

• Industries Most Affected by Ransomware in 2019
  • Municipalities–78
  • School Districts and/or Schools (including colleges–61.
  • Note: The School Districts which have been hit by ransomware comprise over 500 individual schools, making the potential number of victims much higher than the school districts listed.
  • Healthcare agencies and/or healthcare –37
  • Radio Stations–15
  • MSPs–13
• There have been 233 publicly identifiable ransomware victim organizations  in 2019 and 62 organizations in 2018.
• Only 68 victim organizations hit by ransomware from January 2019 to May 2019.  There have been 165 victim organizations hit since May 2019.

Shipping Meter Company Pitney Bowes, J&M Truck Lines and Online Retailer Alphabroder Attacked in the Private Sector

While Pitney Bowes has finally reported this month’s “malware attack” as ransomware. Various news reports have stated how the October attack encrypted files and paralyzed communication systems. J&M Truck Lines revealed this month that they suffered a ransomware attack in April, joining transportation victim A. Duie Pyle who suffered an attack in June. Alphabroder, a $1.6 Billion online retailer of specialty products and the largest in North America, announced their order processing and shipping platform was seized by the ransomware Sodin.

Key Ransomware Protection Tips Include:

• Offline Data Backups – users must have multiple backups of their critical data, applications, and application platforms. These backups must be air-gapped from the internet and password protected.
• White Listing Solution – limits the use of applications and processes that are allowed to run in your environment by providing a short list of approved applications and processes. Like a VIP List for your PC, if it’s not on the list,
  it’s not allowed.
• File Integrity Monitoring—Monitors your IT environment 24x7x365 for changes to critical OS, files and processes such as directories, registry keys, and values.  It also watches for changes to application files, rogue applications running on the host and unusual process and port activity, as well as system incompatibilities.
• Practice Least Privilege Access Control –ensure the user has the least privilege for their job. This also applies to services.
• Audit/Penetration Testing from Independent, Third-Party Experts—to ensure that you are implementing best practices.
• IP Reputation Monitoring/Blocking—blocking known bad infrastructure and actors
• Continuous Security Awareness Training– educate employees about current and emerging cybersecurity risks and phishing emails. Effective training should actively engage employees and include policies concerning the correct response to suspected phishing attempts.
• Endpoint Protection Solution – includes protection, detection and response capabilities for laptops, workstations and mobile devices. Utilizes antivirus (AV) and antimalware (AM) to block cyberattacks. It is also used to quickly detect and remediate any malicious activity or infection that has made its way onto the endpoint.