 So with ransomware attacks on the rise, you can kind of look at the people who run these ransomware schemes as entrepreneurs, illegal ones that's not right to go around stealing people and crypting their computers and asking for money. That's absolutely illegal. There's no question. Doesn't mean we don't really want to think of them because it's a you have to kind of get into their mindset to know where they're going of, you know, business entrepreneurs looking ways to scale up their business. Now attacking individual people has proven very effective for them. Attacking businesses, another lucrative measure because, you know, we can get the worm sent to a bunch of people and maybe spread it around via email inside of a company. But the next attack, why not attack the IT service or MSP companies that are running all these tools that have access to thousands of computers? It scales very well. So that's what they're doing. And who are the attacking specifically? All companies that don't take security seriously are always going to be the first ones to fall. Granted, people who do take security seriously are still always going to be at risk because they're looking for ways in and very determined people motivated by large amounts of money are going to be highly motivated at attacking you. But trust me, you're going to take down the low hanging fruit first that people are not using proper two factor authentication or just bad security hygiene practices and leaving RDP open and things like that. We're opting out of 2FA despite it being available. And that brings us to the ZDNet article, ransomware gains, hack MSPs to deploy ransomware on customers' computers. And that's exactly what happened. Hackers got in via RDP and Kyle Hanselvan from Hunter Slabs. I've actually, he's a friend. I've talked to him about this. We talk about security from time to time. We are also a user of the Hunter Slash product and they offered a lot of insight into this. And they did an interview here for ZDNet, but we're actually going to go a step further and we'll be limited to this, but then we'll show the Reddit post that they're referring to, which is this right here. So in short, what these people did, the attackers, they came in via RDP. Sounds like weak compromise credentials. One, why was RDP exposed publicly? There's just the first face palm I have on this. The next stage of attack, hackers search for accounts with revenue secure anywhere. Rote management tool console used by MSPs to manage remotely located workstations and network on their customers. Now, once again, this is not a compromise of the web root system, but the web root system because it allows scale deployments, that's what they did. They used that to go and deploy the ransomware across all the machines. So this is where we are going to switch over to here and walk through a little bit of the debrief here. Now it actually says that in this Reddit title, Kaseya Weaponize to deliver Sadaq and Nabi, I don't know if I should say that, ransomware. And it turns out that's what they did was compromise the tooling. We walked through each little step of the way here. We've seen two cases of an actor appearing to target MSPs with this. There actually have been a couple more MSPs involved. You come up to the latest update here, which occurred at 8.29 PM on 6.20, 2018. We reviewed the indicators of compromise that strongly suggest Kaseya VSA was also leveraged to deliver this ransomware incident. The attackers executed a batch script and they won through all the script names. Now this is where the problems occurred. They used the tooling against them because they weren't properly secured. And as I understand it, WebRoot and our product was not breached. This is an official statement from WebRoot. But there's a little bit more to it because WebRoot apparently wasn't forcing people to use 2FA. And by the way, their 2FA apparently per these users here, and I'm not a WebRoot user to verify or deny this, is not very strong. Matter of fact, I kind of like the way someone worded it. You don't have MFA. You offer one factor of allocation twice. Basically they just have a secondary password, you put it. So you put in a first password. A good 2FA system, while this meets the minimum guidelines for being technically the truth of 2FA. Yeah, we've got two different factors of litigation. But an ideal 2FA system would be some type of rotating number. And for example, I prefer the TOTP method. And most of the tooling that we use offers that as the method. I think all of it actually now does, where there's a rolling number that changes every 30 seconds, and that number is not something that you can find or save because every 30 seconds it changes. Those are better TOTP methods. That way they don't have static credentials. That's what you're really trying to avoid because if you have a weak static credential and someone finds it in a case like this is what happened, that static credential doesn't become the only thing needed. There's now a rotating credential. So if they had it, they have 30 seconds. If they're looking over my shoulder watching it roll through on my phone, they have 30 seconds to do this hack. They have a much greater challenge to getting in. It takes a lot more. So this is one of the problems I've seen in the MSP space. So many people get really excited about a lot of things. They get excited about commissions. They get excited about sales and leads and how much money they can make in the MSP space. And sometimes security gets put down to be secondary. And this is very unfortunate because one of the really bad victims of this is going to be the clients who trusted that MSP to provide them security. And instead, they were the attack vector because this has clients scratching their head going, we got ransomware. What did we do wrong? Who do we have to be mad at? Who clicked the email and really, oh, that company that we gave all this money per month to keep us secure, they didn't really bother following two-factor authentication. They left RDP open. And this is a really hard thing for small businesses to evaluate, is how do you trust the IT people that you hired, the MSP, that you hired to do a good job? And it's an unfortunate situation. The only good news maybe out of some of this is this will serve as a lesson through other MSPs to kind of stop and look back because at some point, even if you have a good cyber-liability policy, it may not cover this. And the reason I see that is just having insurance is not a good answer to this. You should have good security. And insurance companies are undoubtedly going to be increasingly deny claims when you weren't following best practices in your company. They're going to go, well, you had 2FA, you didn't even turn it on. You didn't audit your passwords. You offered weak passwords. You didn't have good security hygiene throughout your company. You left RDP open, denied, go deal with it. And this is probably what's going to end up happening in my opinion in some of these companies. I don't know, don't know the names of any of the companies, but obviously this is a big mess. I'm doing this video, a lot of it is a warning for other MSPs. If you work for one of these MSPs and you're like, oh man, they have horrible security practices, one of the things I've recommended to other people, because this actually is someone who reached out to me on numerous occasions or when I'm involved in some of the hacking groups, people, they're terrified of the company they work for. They're like, they just are, I'm going to see them in the news as one of the IT people I met put it. And I always remind them of, it's referred to as prudent man. You can look that up. And what would a prudent man do? And it's not a, it's a phrase. And that phrase, what that means is you document, you go, I told them they should turn 2FA on. You save a copy of that email outside of your work email. Because by the way, if they want to blame you for this compromise, if you're the person, even if it wasn't your fault, if you're the one that the blame is going to fall on for whatever reason, the first thing you may do is disable your company email account. So you want to document outside of your company email account that you raised awareness that this is something that needs to be addressed. Because you don't want to be that way. If you're a business and you're using one of these MSPs, don't be afraid to ask them questions. I encourage my clients to ask us, we practice good security hygiene. We won't just give up a password to a client or just change a password based on a phone call. There's steps and procedures we have in place. We care a lot about security internally and externally for our clients. This is something that is near and dear to us because I care about it. I'm not just a geek in front of a keyboard. I'm also someone who cares a lot about security and I'm not in this game just to make a bunch of money. Matter of fact, I tell people who think that there's just a ton of money to be made in the MSP space, yeah, you can make some money in this, but hopefully you're spending at least a good percentage of it and time on it of thinking about the security aspect of it. If you're just in this game to get money, go work in finance. There's way more money in playing in financial markets if you're good at it than there is in the MSP space. But if you have a passion for technology and you care about security and you want to do this, please take the time to do it right because if you're part of that low-hanging fruit, these attackers are just going to eat you alive. That's what we're starting to see here and I only expect to be doing more videos about this and over on how they got hacked, the videos of me and Xavier and Mo have been doing, we're going to be talking about this as well and it's going to be a bigger and bigger factor. So this, like I said, attacks should keep getting worse. They keep getting better and the low-hanging fruit are always the ones that get picked off first. So make sure you're not among them. Have all your security tight. Go through and audit it and stay safe out there. That's all I got to say. Thanks and talk to you later. Thanks for watching. If you liked this video, give it a thumbs up. If you want to subscribe to this channel to see more content, hit that subscribe button and the bell icon and maybe YouTube will send you a notice when we post. If you want to hire us for a project that you've seen or discussed in this video, head over to LawrenceSystems.com where we offer both business IT services and consulting services and are excited to help you with whatever project you want to throw at us. Also, if you want to carry on the discussion further, head over to forums.laurancesystems.com where we can keep the conversation going. And if you want to help the channel out in other ways, we offer affiliate links below which offer discounts for you and a small cut for us that does help fund this channel. And once again, thanks again for watching this video and see you next time.