🤠 Ransomware in 24 Hours, Kaseya Kills High-Watermark, and Bluesky's Post-Mortem Is Art

In partnership with

This is an IT Support Group

Tuesday Briefing 🤠

Ransomware in under 24 hours, Kaseya kills high-watermark pricing, and Bluesky's outage post-mortem is a work of art

GM IT pros!

Happy Tuesday! Here's what's worth knowing this week.

-Stetson

Tech News TL;DR

This week's IT and tech news in 5-minutes-ish or less

🔒 LEAD STORY: Storm-1175 Is Dropping Medusa Ransomware in Under 24 Hours

If you're in healthcare, education, or finance — read this twice.

Microsoft published a deep dive on Storm-1175, a threat actor exploiting web-facing vulnerabilities — including a SmarterMail zero-day (CVE-2026-23760) — and deploying Medusa ransomware within 24 hours of gaining access. That's initial access to full encryption in less time than most orgs take to triage a P1 ticket.

Their playbook is nasty but predictable: exploit an unpatched perimeter asset, use encoded PowerShell to add C:\ to AV exclusion paths (effectively neutering your endpoint protection), exfil data with Bandizip + Rclone, then drop Medusa for the double-extortion payday. Primary targets: healthcare, education, professional services, and finance in the US, UK, and Australia.

The takeaway for IT teams: if you're running anything web-facing that hasn't been patched in the last 30 days, you're in the blast radius. Storm-1175 is specifically hunting the gap between vulnerability disclosure and patch adoption. Don't be the gap. Microsoft Security Blog · Dark Reading

💰 LEAD STORY: Kaseya Killed High-Watermark Pricing

MSP owners, check your deployment counts before the invoice hits.

Kaseya officially rolled out Committed Minimum Quantity (CMQ) billing for Datto RMM, SaaS Protection, and Autotask. The rest of the Kaseya product line follows by June 30. If you've been quietly over-deploying agents and riding the "they won't notice" wave — April is your wake-up call.

Here's how it works: your minimum license count is locked at whatever your CMQ is. If you're under that number, you still pay for all of them. If you go over, you pay as you go for the overage. No more high-watermark where one bad month of agent sprawl permanently jacks your baseline up.

In theory, this is better for MSPs. In practice, if you haven't audited your actual deployed agent count vs. what you're committed to, you might be paying for ghost licenses — or about to eat surprise overage charges. Audit your deployments now, not after the invoice lands. CMQ FAQ · CRN Coverage

🔥 LEAD STORY: Bluesky's Outage Post-Mortem Is a Masterclass

When your logging infrastructure becomes the attack surface.

Bluesky published a post-mortem that every engineer should bookmark. The short version: millions of failed memcache writes spawned millions of blocking log syscalls, which spawned 10x more OS threads than normal, which killed Go's garbage collector with stop-the-world pauses. The whole platform went down not because of a DDoS or a bad deploy — but because logging itself became the bottleneck.

The root cause chain is beautiful in a horrifying way. A new internal service sent batches of 15-20k URIs at once. Unlike every other RPC handler, this one endpoint was missing a concurrency limiter. Those goroutines overwhelmed memcached connections, which exhausted ephemeral ports via TCP TIME_WAIT, which triggered the error logging flood, which created a death spiral that took until Wednesday to fully diagnose (service was stabilized Monday, but the actual root cause took two more days).

The fix? A custom dialer to randomize ephemeral ports, plus adding the missing concurrency bound. Two lines of prevention for three days of pain. If you run anything in Go at scale, this post-mortem is required reading. Full Post-Mortem · HN Discussion

⚡ QUICK HITS

The rest of the chaos, speed-round style.

🤖 Copilot vs. Claude Code: The Shadow IT Problem Nobody's Talking About
GitHub Copilot dominates enterprise adoption (90% of Fortune 100), but Claude Code leads developer satisfaction surveys by a wide margin. The real story for IT: if your devs are going rogue with unapproved AI tools because the approved ones don't cut it, your "approved tools" list isn't a policy — it's a suggestion. Time to audit what's actually running on dev machines. Read more

🔓 Smart Slider 3 Pro Got Backdoored for 6 Hours — and That Was Enough
Unknown attackers hijacked Nextend's update servers and pushed a weaponized v3.5.1.35 of Smart Slider 3 Pro between April 7-13. If your WordPress sites had auto-updates on, they got a full remote access toolkit — hidden admin accounts, arbitrary code execution, and data exfil to a C2 domain. The free version wasn't affected, but 800K+ Pro installs were in the blast radius. Check your sites. Bleeping Computer · The Hacker News

🕐 Secure Boot Certificates Expire June 26 — and Windows Server Won't Auto-Patch
The UEFI Secure Boot certificates that have underpinned Windows boot security for 15 years are expiring. Desktop Windows gets the update automatically. Windows Server? You're on your own — manual action required. If you miss it, you lose boot protection, can't install future security updates, and can't trust signed software. 71 days and counting. Start planning now. Microsoft Blog · Server Playbook

LLM traffic converts 3× better than Google search

58% of buyers now start their research in ChatGPT or Gemini, not Google. Most startups aren't showing up there yet.

The ones that are get cited by the AI tools their buyers, investors, and future hires already use. And they convert at 3×.

Download the free AEO Playbook for Startups from HubSpot and get the exact steps to start showing up. Five minutes to read.

Get the free playbook

That's the briefing for this week. Patch your perimeter, audit your agents, and read that Bluesky post-mortem before your next on-call shift.

Stay paranoid. Stay patched. See you next Friday 🤠