Top 5 MSP Cyberattacks in 2023/2024

In 2022, we published an article discussing the rise in targeted cyberattacks on managed service providers (MSPs), which included warnings from the Five Eyes intelligence alliance. Nearly two years later, it has become evident that these warnings were well-founded, as attacks on MSPs now occur on a regular basis. In this article, we will explore the top 5 MSP cyberattacks between 2023 and 2024.

In November 2023, CTS, an IT services provider specializing in support for the UK’s legal sector, experienced a severe cyberattack. This incident led to substantial disruptions for a wide range of law firms, affecting their daily operations and access to crucial case management systems.

The attackers exploited the CitrixBleed vulnerability (CVE-2023-4966), a vulnerability that has attracted attention from both nation-state actors and cybercriminal groups like LockBit.

The attack on CTS had far-reaching consequences, impacting between 80 and 200 law firms across the UK. These firms faced significant service outages, which hindered their ability to work effectively and manage legal transactions.

Despite CTS’s efforts to address the disruption, including collaborating with a global cyber forensics firm, the company was unable to provide a specific timeline for when full services would be restored.

In January 2024, Tietoevry, a Finnish IT and cloud services provider, was hit by a ransomware attack. This incident specifically targeted one of Tietoevry’s data centers in Sweden leading to significant disruptions for a range of Swedish entities, including government agencies, universities, and commercial enterprises.

The Akira ransomware group, was identified as being responsible for the attack. The breach was notable not only for its immediate impact on services but also because it affected Primula, a payroll and HR company widely utilized by Swedish universities and more than thirty government authorities​.

The attack on Tietoevry’s infrastructure was part of a broader pattern of Akira ransomware activities targeting organizations in Finland since June 2023, signaling an escalation in the group’s operations.

The company acknowledged the serious nature of the ransomware attack and reported it to the police, although the full financial impact was still being assessed​.

In March 2023, Lumen Technologies disclosed two significant cyberattacks. One of the incidents was a ransomware attack that affected a small subset of Lumen’s servers, specifically those associated with a segmented hosting service, leading to service slowdowns for a few enterprise clients.

The ransomware intrusion resulted in degraded operations but, according to Lumen, was unlikely to have a long-term negative impact on its capacity to serve customers or on its business and financial outcomes.

The company took immediate actions to mitigate the attack’s effects, including working with external forensic experts and law enforcement, while also implementing business continuity plans to restore affected services​​.

The second incident involved unauthorized access to Lumen’s internal IT systems, where the attacker conducted reconnaissance, deployed malware, and extracted a limited amount of data. Despite the breach, Lumen once again reassured clients and shareholders that the incident would not substantially impact its operations or financial results.

In December 2023, HTC Global Services, an IT services and business consulting firm, acknowledged a cyberattack following the ALPHV (BlackCat) ransomware group’s publication of screenshots of data they claimed to have stolen from the company.

The exposed data reportedly included sensitive materials such as passports, contact lists, emails, and confidential company documents. This breach was part of a wave of attacks by the ALPHV gang, known for targeting global enterprises and deploying ransomware to execute attacks.

The attack’s specifics, including how the breach occurred, were under investigation, with one theory suggesting the exploitation of a Citrix Bleed vulnerability, particularly in a Citrix Netscaler device operated by HTC’s CareTech business unit. This vulnerability might have provided the attackers initial access to HTC’s network​.

The ALPHV/BlackCat group, active since November 2021, is thought to be a rebrand of the DarkSide and BlackMatter ransomware operations. They’ve become infamous for their sophisticated attacks on various sectors, continuously refining their tactics to target and extort global enterprises effectively. After re-emerging following a takedown by law enforcements, there have been rumors that this ransomware group has since disbanded, though in contrast attacks continue to be claimed by BlackCat.

In October 2023, Südwestfalen IT, a service provider for over 70 municipalities in Germany, fell victim to a ransomware attack that caused significant disruption to local government services. This incident hindered access to critical infrastructure, including town halls, websites, email, and phone services, affecting the daily operations and services provided to citizens.

The attack, attributed to the Akira ransomware group, involved encryption of the provider’s servers, leading to the severance of data center connections to prevent further malware spread. As a result, municipalities faced severe limitations in their service capabilities, impacting nearly all town halls in the region​.

In response to the crisis, Südwestfalen IT took immediate measures, including the commencement of forensic analyses of the affected systems, to systematically examine customer systems and prioritize the restoration of essential services. Despite these efforts, the service provider anticipated extended downtimes, with initial workarounds expected to be introduced in the following weeks to gradually restore public services.

The attack’s timing was unfortunate, as it coincided with the end of the month when local governments typically perform financial transactions, thus potentially affecting payments like salaries and social assistance.

In recent years, double extortion ransomware attacks have become increasingly prevalent, exacerbating the risks faced by MSPs and their clients. Double extortion involves attackers not only encrypting data but also exfiltrating sensitive information before encryption, enabling them to threaten public release or sale of the stolen data if the ransom is not paid.

BlackFog provides a comprehensive solution to help MSPs prevent ransomware, safeguard their clients’ valuable data, and mitigate the risks associated with double extortion. BlackFog’s anti data exfiltration (ADX) technology stops ransomware in its tracks by preventing unauthorized data transmission from infected devices, effectively neutralizing the threat.

As an MSP, implementing BlackFog can enhance your cybersecurity offerings, differentiate your services from competitors, and provide your clients with peace of mind knowing their data is protected against the growing threat of ransomware and double extortion attacks.

If this sounds interesting to you, contact us today for a demo and discover how BlackFog can help you stay ahead of data exfiltration and ransomware threats.