Cyber Incident Victim: ConnectWise

On November 8, 2019, ConnectWise alerted customers to active ransomware attacks targeting on-premise installations of its Automate software, a centralized IT management platform used to administer computer fleets and IT assets. Attackers sought to compromise these systems to gain control of servers and deploy ransomware across entire customer networks. The company emphasized that only on-premise deployments—chosen by organizations for heightened security—were affected, excluding its cloud-based offerings. ConnectWise issued mitigation guidance through a dedicated support page, urging users to implement unspecified security measures. However, the advisory omitted critical technical details regarding attacker methodologies, such as exploited vulnerabilities, network ports, or initial access vectors. This lack of specificity generated confusion among users, who publicly sought clarification on social media platforms like Twitter regarding precise attack mechanisms.

The incident represented a recurring threat pattern for ConnectWise, following a February 2019 attack where adversaries exploited an outdated plugin in Automate to distribute GandCrab ransomware. While the 2019 alert did not name the ransomware variant involved, it underscored the systemic risk posed by server compromises, enabling lateral movement and network-wide encryption. Contradictory instructions on the provided support page further complicated customer response efforts. With over 100,000 IT professionals relying on ConnectWise software, the attacks threatened widespread operational disruption through potential encryption of managed endpoints. The company’s notification focused exclusively on procedural countermeasures rather than disclosing forensic findings or indicators of compromise associated with the ongoing campaign.