An on-premises version of ConnectWise Control was used to seed the endpoints in a ransomware attack in Texas last month, and ConnectWise is working with law enforcement as it investigates how the attack happened and who carried it out, ConnectWise Chief Information and Security Officer John Ford told CRN.

In the case of the Aug. 16 Lone Star State ransomware attack—which resulted in portions of 22 town and county networks being locked behind encryption keys—Ford said that because the MSP partner used an on-premises version of ConnectWise Control he isn’t sure if it had the most up-to-date version of the product, if it had multifactor authentication turned on, or if it was vigilant with patches.

“We literally don’t have any access to the logs or the configuration,” Ford said. “Unless they call us and ask us for support, we don’t have the ability to see that. I wasn’t trying to be intentionally vague. I’m sure that in the investigation that is going on those logs will be collected. It’s possible at some point that ConnectWise will have availability to that. We just don’t have the data, unfortunately.”

[RELATED: ‘This Can’t Be Happening’: One MSP’s Harrowing Ransomware Story]



Rick Myers, owner of TSM Consulting—the MSP that was providing products and services to sites in 22 Texas towns and counties that were subject to a devastating ransomware attack—told CRN that he stands by his work, employees and his customers. He said he is not ready to talk in detail about what happened because he does not want to hamper the investigation.

With an increasing number of attackers using the power of remote access tools, ConnectWise—which has been leading an industrywide effort to educate and secure MSPs from the scourge of ransomware—has opted as of Oct. 1 to implement multifactor authentication by default.

Ford said while requiring multifactor authentication (MFA) by default as opposed to sitting on the system as an option could create some “abrasion” among customers, it’s “the right thing to do.”

“We’ve been stressing for quite some time, for a year, maybe two, the need to use MFA and to enable it, but given the velocity and changes to the threat environment, we no longer can rely on some of the folks to make that decision so we’re making it for them,” he said. “The question of whether it’s too late or not, I wouldn’t think so. I think you’ll see some of our competitors and non-competitors in other industires all moving towards this approach. It’s really tough when you force something down on your partners because that’s generally not what you want to do. A lot of our partners use MFA on their own.”

ConnectWise is hardly alone when it comes to falling victim to hackers. Webroot, Kaseya, Continuum and NinjaRMM all have MSPs that have been hit and their products hijacked by bad actors who have flipped ill-gotten credentials to cash.

“I’ve been chatting with some of my peers. Last year at this time you might hear about one a month,” Ford said. “There’s well over three dozen MSPs who are hit right now as you and I are on the phone, and there are more coming. Those are the ones we know about. Not to mention the ones we don’t.”

When looked at industrywide, in the second quarter of 2019 the average ransom payment increased 184 percent to $36,295, compared with $12,762 in the first quarter of 2019, according to Coveware, a cybersecurity company that helps mitigate damage after a ransomware attack.

The monetary incentives are so huge, in fact, that ransomware as an industry is beginning to take the shape of a dark reseller channel with software vendors carving out sales perks for their top infectors, Ford said.

“So what they’ve done is they’ve said, ‘Hey, I’m going to give you this malware that you can execute on any of your customers, and if you get a certain number of endpoints you get to keep 85 percent of whatever the ransom is and we’ll only take 15 [percent]. But if you get less than that, we want to take 35 percent,’” Ford said. “They not only have a channel and have partners, they have tech support. They have 1-800 numbers that can be called where if you are having a problem, they will walk you through it. … There’s really no reason to stop doing this until someone or something presents a barrier.”

As much as the company has been battered by the spike in ransomware attacks nationwide, ConnectWise has moved to become recognized as a leader in best security practices and educating MSPs about the risks to their networks, said Ford.

ConnectWise recently said that it is forming a Technology Solution Provider Information Sharing and Analysis Organization to “join hands with all of the vendors out there.”

Ford said anyone who wants in—including competitors—will have access to threat intelligence information ConnectWise collects from places like the U.S. Department of Homeland Security or the U.S. Computer. Emergency Readiness Team (U.S.-CERT) That information will be put into a specific format and then shared directly with members.

Ford compared it to the industrywide Information Sharing and Analysis Center—a highly regarded nonprofit organization that provides a central resource for gathering information on cyberthreats to critical infrastructure. The difference, he said, is that this one will focus exclusively on the MSP space.

Just last week ConnectWise participated in a panel hosted by rival Datto as well as security gurus ID Agent and Huntress Labs for a roundtable about MSP security and the threat of ransomware. The panel was webcast and it was moderated by an MSP who had been hit.

“The velocity is changing,” Ford said of attacks. “MSPs have at their disposal the keys to the kingdom to their customer base in a remote fashion. Why that makes them a nice target for the attack groups is the bad guys can leverage the same tools that the MSPs are using to manage their customers to launch an attack, or support one. So we’ve been preaching this for a while: For any MSP out there who does not believe they are a target, I would highly recommend they start reading [the news]. They are a target.”