A ransomware gang has destroyed at least three managed service providers (MSP) facilities and deployed their remote management tool, the WebrootSecureAnywhere console, to deploy ransomware on MSP’s client systems.
Hackers invade MSP through exposed RDP (Remote Desktop Endpoint), increased privileges within the compromised system, and manual uninstallation of AV products such as ESET and Webroot.
Next, the hacker searches for the Webroot SecureAnywhere account used to manage the remote workstation, executes the Powershell script, and downloads and installs the script for the Sodinokibi ransomware.
Webroot began to force two-factor authentication (2FA) to be enabled for the SecureAnywhere account, in the hope of preventing hackers from deploying new ransomware using other accounts. At the same time, local Romanian media reported that five hospitals in the capital, Bucharest, were infected with ransomware, but it is not possible to determine whether there is a link between the two.