MSP At Center Of Texas Ransomware Hit: ‘We Take Care Of Our Customers’
‘There are similar things that have happened recently regarding ConnectWise and ScreenConnect. Even since my attack, there have been some additional attacks. Same MO. ... There’s another issue that I’m concerned about that has not yet been resolved to my satisfaction that I can’t talk about yet,’ says Rick Myers, founder of TSM Consulting.
The owner of TSM Consulting—the MSP that was providing products and services to sites in 22 Texas towns and counties that were subject to a devastating ransomware attack—told CRN that he stands by his work, his employees and his customers.
“Fortunately, we’ve got a strong customer base and we’re going to be able to get through this,” said Rick Myers, who founded Rockwall, Texas-based TSM 22 years ago.“Our customers have stuck with us very well, and I give a lot of credit to the people who work here. We take care of our customers. We have the best customers in the world.”
Myers said he has been cooperating with Texas authorities and the Federal Bureau of Investigation since the Aug. 16 attack, which used an on-premises Connectwise MSP remote access tool as an entry point to infect cities and towns with the ransomware.
[Related: ‘This Can’t Be Happening’: One MSP’s Harrowing Ransomware Story]
“I’m sure that those doing the investigating will come out with their own conclusions, and I’m suspecting it will be in the near future,” Myers said in an exclusive interview with CRN. “There are several different investigations going on in several different levels and so I’ll leave it at that. We’ve been completely transparent with them. Anything they’ve asked for, we’ve delivered. … They’re anxious to find the ‘how’ in this so we all can prevent this in the future.”
Following the Aug. 16 Texas attack, the Texas Department of Information Resources, along with the FBI, launched remediation efforts as well as an investigation into the cause. Both the Texas Department of Information Resources and the FBI refused to comment for this story. Central to that probe is whether TSM—a key services provider for the 22 cities and towns—was breached.
All of the 22 sites hit in the Texas ransomware attacks were cleared for remediation and recovery within a week of being hit thanks to a response plan that was already in place, according to the Texas Department of Information Resources.
CRN was the first to report that TSM provided services to the affected towns. TSM on its website says it has a “strong background in data communications” that has enabled it to “grow in the law enforcement and local government markets.”
The company says it also has a proven track record providing equipment and support for over 300 law enforcement agencies throughout the state of Texas.
Myers is one tens of thousands of MSPs—from the largest service providers in the world like Wipro to smaller regional providers like TSM itself—that are grappling with an onslaught of cyberattacks against their customers.
MSPs themselves are calling for stricter best practices in the wake of the onslaught. Many say MSPs and customers together have to take the threat seriously and implement tougher security measures.
In a number of cases, including a well-publicized breach against systems integrator behemoth Wipro earlier this year, the attacks appear to have been carried out using MSP tools as an entry point for the cyber-criminals.
Master MSP IT By Design was hit in June by a ransomware attack that spread to eight of its customers. In that case, IT By Design said that 48 hours later 96 percent of systems were restored. What’s more, the MSP said it did not pay any ransomware to recover its systems.
The Texas ransomware attack was carried out using a version of ConnectWise Control, which was previously known as ConnectWise ScreenConnect, a remote access tool.
Connectwise Chief Information and Security Officer John Ford said the company has been contacted by authorities and is cooperating. He said it appears the hackers accessed an on-premises version of Control. Because ConnectWise cannot peer into on-premises versions, it has no access to the logs and cannot say what may have lead to the intrusion.
Myers appeared to take issue with ConnectWise, although he would not get into specifics.
“I’ll neither dispute nor agree with what they found. I couldn’t do either at this point conclusively,” Myers said of the Connectwise view of the breach. “There are similar things that have happened recently regarding ConnectWise and ScreenConnect. Even since my attack there have been some additional attacks. Same MO. There are certain parts of our clients’ base we have to use MFA [multifactor authentication] on. There are certain parts we don’t. So I can’t say that it was on all the time, for all users. There’s another issue that I’m concerned about that has not yet been resolved to my satisfaction that I can’t talk about yet.”
Security experts are advising MSPs to implement strict multifactor authentication to ensure their customers are not compromised.
Myers, for his part, told CRN he is not sure if if MFA would have made a difference in this case.
Myers said he believes the attacks are being carried out on “several different levels” with an as-yet unidentified “issue” that is key to the Texas ransomware attack.
CRN asked Myers if that yet-to-be-identified “issue” is what allowed the penetration of his government customers. “I’d say it’s a contributing factor,” he said.