This article is more than 1 year old

It woz ransomware wot did it: ConnectWise spills beans on cause for day-long outage

Hackers got in via offsite machine used for cloud performance testing

A customer email from biz automation outfit ConnectWise has revealed that a ransomware attack was to blame for an outage which crashed its systems for a whole day earlier this month.

At 7.30am on Friday 3 May, the firm's security systems warned that some SQL servers on the EU/AWS cluster were unavailable. Closer examination revealed several servers were inaccessible so they were taken offline and access to the whole cluster restricted to a few customers.

The email sent today stated:

Our initial examination pointed toward some type of malware. The cloud team built and deployed new AWS clusters with known good backup restorations. This contributed to the downtime experienced by ConnectWise EU partners. As our investigation ensued, our teams discovered that the malware was ransomware. All partner access was restored by 3:16 pm BST. Email Connector service was enabled at 4:20 pm BST. Reporting services were back online by 5:15 pm BST.

ConnectWise brought in a third-party forensics specialist to figure out what went wrong.

That investigation "confirmed that the ransomware variant used in the attack generally only encrypts files to extort a ransom payment, and is not designed or capable of reading, removing, or altering data. Based on our investigation to date, the only impact of the intrusion was loss of access to our hosted SaaS application. We found no indication that any personal data was destroyed, altered, disclosed to, or accessed by an unauthorized party. Accordingly, we do not believe there is a risk to the rights and freedoms of EU data subjects as a result of this outage."

Lightning, photo via Shutterstock

If Carlsberg did cloud outages, they'd probably look like ConnectWise's


Hackers got in via an offsite machine used for cloud performance testing. ConnectWise will be talking to the relevant law enforcement agencies.

In order to reduce the possibility of a repeat attack, ConnectWise has added an extra layer of authentication for all users and shored up security between the SQL clusters and the rest of the environment.

ConnectWise will in future take a snapshot of "the transaction log backups each hour to reduce the recovery point in the event the transaction logs are compromised".

The company has ladled out a 10 per cent credit to customers based on their European cloud May invoices. ®

More about


Send us news

Other stories you might like