Space Bears Ransomware Group Claims Major Breach of U.S.-Based Business Technology Solutions (BTS) in "QuasarBreach" Operation
December 8, 2025 — Updated 19:40 UTC
In one of the most significant managed service provider (MSP) compromises of 2025, the aggressive ransomware collective known as Space Bears has claimed a full-scale breach of Business Technology Solutions LLC (BTS), a Maryland-based MSP that manages IT infrastructure for more than 400 small and medium-sized businesses across the United States.
The attack, internally codenamed "QuasarBreach" by the attackers, combines classic remote access exploitation with sophisticated post-compromise tradecraft, ultimately granting the group domain dominance over BTS's entire client ecosystem. Space Bears now threatens to release 1.2 terabytes of allegedly stolen data unless a multi-million-dollar ransom is paid by December 15.
Who Are Space Bears? A Closer Look at 2025's Fastest-Rising Ransomware Threat
Space Bears surfaced publicly in June 2025 and quickly earned a reputation for speed, technical sophistication, and theatrical branding. Despite their lighthearted name and cartoon mascot (a bear in an astronaut suit holding a bitcoin), researchers assess the group as a professional, Russian-speaking ransomware-as-a-service (RaaS) operation with possible lineage to the dismantled Conti and BlackCat organizations.
Key characteristics include:
- Use of custom-written ransomware encryptors compiled in Go and Rust
- Heavy reliance on Cobalt Strike and Brute Ratel C4 frameworks
- Rapid weaponization of zero-day and n-day vulnerabilities in VPN and RDP appliances
- Aggressive "name-and-shame" policy — even partial ransom payments rarely prevent data publication
- Current victim count exceeds 60 organizations worldwide in just six months
Kill Chain: How QuasarBreach Unfolded (November 18 – December 7, 2025)
Phase 1 – Initial Access (November 18)
The intrusion vector was painfully commonplace yet devastatingly effective: an internet-facing Remote Desktop Protocol (RDP) server belonging to a BTS-managed accounting firm in Richmond, Virginia. The server, running Windows Server 2012 R2, had not been patched against the BlueKeep vulnerability family and was protected only by a weak eight-character password.
Using a publicly available RDP brute-force tool, Space Bears gained access within hours. From there, attackers executed a modified Mimikatz variant to harvest domain credentials.
Phase 2 – Privilege Escalation & Lateral Movement
Within 36 hours, the attackers performed Kerberoasting attacks against BTS's central Active Directory domain, extracting ticket-granting tickets for high-privilege service accounts. By November 22 they possessed Domain Admin rights across the BTS corporate domain and the separate management domain used for client environments.
Cobalt Strike beacons were deployed to more than 420 endpoints, including BTS's own Kaseya VSA instance, ConnectWise Automate servers, and multiple Microsoft Azure virtual machines hosting client data.
Phase 3 – Data Exfiltration (November 23 – December 3)
Over an eleven-day period, Space Bears quietly exfiltrated approximately 1.2 TB of data using Rclone configured to upload directly to their Mega.nz-controlled accounts. Stolen data categories include:
- Complete Active Directory NTDS.dit files (containing password hashes for thousands of users)
- Client contracts, tax returns, and financial statements
- HIPAA-protected electronic health records from 23 medical practices
- PCI-scope payment card data from two boutique retail chains
- Full Veeam and Acronis backup repositories (unencrypted
- BTS internal source code, customer portal credentials, and master encryption keys
Phase 4 – Encryption & Extortion (December 4 – Present)
On December 4 at 02:17 EST, the custom Space Bears encryptor executed simultaneously across all identified high-value servers. Files were appended with the .QUASAR extension, and ransom notes demanded 142 Monero (approximately $4.7 million at time of writing).
A tiered leak schedule was posted:
- December 5% sample data released December 6 (already published)
- 30% additional data on December 10 if no contact
- Full 1.2 TB dump on December 15 if ransom unpaid
Cascading Impact on Hundreds of Downstream Victims
Because BTS functions as a true outsourced IT department for its clients, the compromise has triggered widespread operational paralysis:
- More than 40 law firms have lost access to case management systems
- Eleven dental and medical clinics reverted to paper charts for multiple days
- Three school districts in North Carolina and Georgia experienced email and student information system outages
- Several manufacturing companies reported halted production lines due to inaccessible ERP instances
"We pay BTS to keep our network running 24/7. Instead, they just handed the keys to Russian criminals. We're looking at weeks of recovery and millions in losses," said the CFO of a Virginia-based logistics company affected by the breach.
BTS Response and Current Status
BTS took its primary website and client portal offline within hours of encryption. A short statement posted via a Google Sites page reads:
"Business Technology Solutions has experienced a sophisticated cybersecurity incident that has impacted certain systems. We have engaged leading external forensics experts and notified law enforcement. Affected clients are being contacted individually with guidance."
Multiple sources indicate BTS's insurance carrier has appointed Kroll as the incident response lead and Coveware as negotiator. As of this evening, negotiations remain in early stages.
Why This Attack Matters: The Growing MSP Threat Vector
Managed service providers have become the "crown jewels" for ransomware actors. A single successful MSP breach can yield hundreds of downstream victims while requiring only one initial foothold.
Recent comparable incidents include:
- Kaseya VSA supply-chain attack (2021)
- ConnectWise ScreenConnect exploitation wave (2024)
- Multiple SolarWinds Orion compromises (ongoing)
Cybersecurity experts now recommend MSP clients treat their providers with the same third-party risk rigor applied to cloud vendors — demanding SOC 2 Type II reports, evidence of immutable backups, and contractual liability clauses for supply-chain incidents.
Looking Ahead
With Space Bears demonstrating both technical capability and willingness to publish data regardless of payment, the coming week will reveal whether BTS and its insurance carrier choose to pay or attempt a lengthy recovery from whatever backups remain viable.
Either outcome will carry profound consequences for hundreds of American small businesses that placed their trust — and their data — in the hands of a single managed service provider.
The QuasarBreach incident is a stark reminder that in 2025, the most dangerous cyber attacks are no longer aimed at the largest corporations, but at the service providers on whom smaller organizations depend for survival.