Italian cybersecurity firm TG Soft told the news outlet that a distributor for WinRar in Italy was one such victimized website. The ransomware attacks executed through MSPs were first reported by users on the r.msp Reddit, who warned that adversaries were accessing MSP networks via Remote Desktop Services and then pushing the ransomware to client endpoints using various management consoles such as Webroot, Kaseya and ConnectWise. (The news reports also received similar intel from Kyle Hanslovan, CEO of Huntress Labs.)Bleeping Computer also detailed a new phishing campaign, discovered by TG Soft, which sent potential victims spam emails impersonating travel website Booking.com. The emails contained a malicious Word document attachment that would download Sodinokibi from a remote site if the recipient enabled its embedded macros.And in a follow-up story just yesterday, Bleeping Computer cited a warning from exploit kit researcher nao_sec, who discovered that Sodinokibi was also being distributed via malvertisements
on the PopCash ad network that redirect to the RIG exploit kit.