A new ransomware threat actor has emerged, specifically targeting Managed Service Providers to deliver encryption payloads to dozens of downstream clients simultaneously. This group utilizes the rapid exploitation of remote monitoring and management (RMM) tools to achieve massive scale.
The group, calling themselves The Gentlemen, has been linked to the exploitation of critical vulnerabilities in the Bomgar RMM platform. By compromising a single MSP administrative account, the actors can push ransomware to every managed endpoint within the MSP’s customer portfolio. This strategy bypasses individual customer perimeters and leverages the trusted management channel for high-velocity distribution.
The targeting of MSPs represents a force multiplier for ransomware groups, turning a single breach into a multi-victim data extortion event. When the management tools themselves are weaponized, individual endpoint security is often neutralized by the authorized administrator permissions granted to the RMM agent.
– Enforce phishing-resistant MFA across all administrative and technician accounts in the RMM platform.
– Restrict RMM agent communication to authorized internal administrative IP ranges and utilize Zero Trust gateways.
– Audit RMM platform logs for anomalous mass-distribution events or the unauthorized creation of technician accounts.
– Transition to a least-privilege model where RMM agents do not possess persistent administrative permissions on the endpoint.
MSP-scale attacks require a shift in trust where the management channel is treated with the same scrutiny as an external threat. #CodeDefence #Ransomware #MSP #Bomgar #SupplyChain
/
