Kaseya Ransomware Attack 'Going to Be Another SolarWinds'
REvil said it infected more than 1 million devices. But Kaseya says less than .01% of customers were impacted.
![ransomware ransomware](https://eu-images.contentstack.com/v3/assets/blt10e444bce2d36aa8/blt3c6e0f1e64b0e0ec/65244383be6982fd056d0c48/17-Ransomware.jpg?width=700&auto=webp&quality=80&disable=upscale)
Shutterstock
Huntress has been tracking the attack from the start. John Hammond is its senior security researcher. He said REvil saying it has infected more than a million systems “could very well be bragging, and we are not aware of any validation on this claim.”
“They have offered new terms to pay for a full universal decryptor, to recover the data for all the affected victims, with the asking price of $70 million,” he said. “As security researchers have reached out, we have seen this number fall to $50 million.”
The full effect is still very difficult to measure and “currently, we have not yet seen a patch be released,” Hammond said.
Bryson Bork is CEO of Scythe, an adversary emulation platform for the enterprise and cybersecurity consulting market.
“This is going to be another SolarWinds in size,” he said. “MSPs are the trusted backbone to many companies and this compromise takes advantage of that relationship. Pour one out for the thousands of folks who just lost their 4th of July weekend to this latest (and not the last) threat campaign.”
Kevin Reed is CISO at Acronis. He said MSPs are high-value targets.
“They have large attack surfaces, making them juicy targets to cybercriminals,” he said. “One MSP can manage IT for dozens to 100 companies. Instead of compromising 100 different companies, the criminals only need to hack one MSP to get access to them all.”
In this attack, “we’re talking several millions of dollars in potential ransom payouts alone – and hundreds of millions in direct losses from business closure,” Reed said.
“Like in the case of Coop, the Swedish store chain affected by this attack and forced to close 800 stores,” he said. “While we detect this type of ransomware, not many do. The fact that the ransomware was embedded in Kaseya VSA has helped it to spread to a large number of targets quickly – similar to how the WannaCry attack allowed criminals to quickly penetrate hundreds of companies. This attack is already showing a larger scale. It won’t end right away, likely leading to bigger impact.”
This attack was “definitely done on purpose” over the July 4th weekend, Reed said.
“Ransomware criminals use public holidays to maximize the attack success rates, as well as the chances of a payout,” he said. “With your guard down and chain of command interrupted, you are more likely to agree to pay the ransom – just to get your files decrypted. While we advise to never pay the ransom, the reality is businesses that can’t rely on their incident response plan still pay the criminals – as seen in recent JBS and Colonial Pipeline cases. Ransomware demands against the breached clients in this case varied from the initial demand of $44,999-$5 million, with further possibility of steep fines from the authorities for those opting to pay.”
CompTIA and its member companies have taken several actions to help IT companies affected by this attack.
CompTIA is forming a rapid response team comprised of internal and member resources to help any IT firm that is the victim of a cyberattack, regardless of whether they are a CompTIA member.
Additionally, the CompTIA Information Sharing and Analysis Organization (ISAO) is providing near real-time updates on the attack in its cyber forum, with the information available to the entire industry, not just ISAO members.
MJ Shoer is CompTIA ISAO’s senior vice president and executive director.
“Within hours of the attack being discovered, more than three-dozen members of the CompTIA ISAO offered assistance, including driving or flying to impacted companies to provide additional boots on the ground, as well as sharing communications, incident response strategies, technical support and other resources,” he said.
Shoer said many industry professionals felt this attack, classified as a sophisticated supply chain attack by the FBI and CISA, was inevitable, especially for MSPs. A 2021 CompTIA survey found 62% of MSPs were very concerned and 30% somewhat concerned about being targeted with cyberattacks.
“Kaseya just holds the unfortunate distinction of being the company attacked, even as they were working on closing down the very vulnerability that the attackers used,” he said. “Kaseya is to be commended for their transparency throughout this attack.”
Garret Grajek is CEO of YouAttest, a cloud-based identity governance and administration (IGA) engine. He said the Kaseya attack continues a disturbing trend made public by the Solarwinds attack. That’s the ability of hackers to not just infect a single site, but to successfully integrate their malware into the existing software supply chain. In this case, it’s Kayesa VSA.
“It’s important to note the ransomware is being requested by an affiliate of REvil, which makes these attacks all the more worrisome,” he said. “It’s an entire ecosystem of cyber terrorists working against our IT infrastructure. Constant vigilance on the privileges of our accounts and changes must be accounted for in a secure environment.”
Richard Blech is founder of XSOC, which provides a hybrid symmetric encryption engine aimed at accelerating commercial cryptography to thwart sophisticated threat actors. He said this attack continues to claim new victims. And it’s left both direct customers and their clients “in tatters.”
“These brands face a new week not running business as usual, but scrambling to respond to an attack so large the White House weighed in on a holiday weekend,” he said. “How was REvil, believed to be behind the attack, able to create such devastation in such a short amount of time? Both the timing of the Kaseya attack and the choice of victim played roles in the far-reaching outcome. The lack of preparation and awareness by Kaseya allowed the attack to spread to dozens of smaller businesses and organizations.”
REvil has a history of attacking brands responsible for other companies, Blech said.
Richard Blech is founder of XSOC, which provides a hybrid symmetric encryption engine aimed at accelerating commercial cryptography to thwart sophisticated threat actors. He said this attack continues to claim new victims. And it’s left both direct customers and their clients “in tatters.”
“These brands face a new week not running business as usual, but scrambling to respond to an attack so large the White House weighed in on a holiday weekend,” he said. “How was REvil, believed to be behind the attack, able to create such devastation in such a short amount of time? Both the timing of the Kaseya attack and the choice of victim played roles in the far-reaching outcome. The lack of preparation and awareness by Kaseya allowed the attack to spread to dozens of smaller businesses and organizations.”
REvil has a history of attacking brands responsible for other companies, Blech said.
This weekend’s Kaseya VSA supply chain ransomware attack breached about 50 customers, and penetrated or directly impacted up to 1,500 downstream businesses.
About 70%, or 35, of the customers impacted by the attack are MSPs.
On July 2, internal and external sources altered Kaseya to the attack. Within an hour, the company shut down access to the software in question.
Kaseya’s MSPs manage IT infrastructure for local and small businesses with fewer than 30 employees, such as dentists’ offices, small accounting offices and local restaurants.
Demanding $70 Million
On its dark web site, ransomware group REvil claimed responsibility for the attack and said it infected more than 1 million devices. It also demanded a $70 million payment in bitcoin to allow all victims to recover within an hour.
Kaseya’s Fred Voccola
Fred Voccola, Kaseya’s CEO, called the attack “incredibly sophisticated.”
The attackers breached Kaseya VSA, just one of the company’s 27 modules. Kaseya VSA is its remote monitoring and management (RMM) service.
All of the MSPs were using the VSA on-premises product.
“Many of our customers are MSPs or IT service providers providing outsourced IT for SMBs around the world,” Voccola said. “The Kaseya MSPs manage approximately 800,000-1 million small businesses around the world. We believe that the number of small businesses managed by MSPs that are Kaseya MSPs that were penetrated with this attack or that were directly impacted by this attack was between 800 and 1,500 downstream customers. When we talk about this attack, and we talk about the breaches that have happened, for the very small number of people who have been breached, it totally sucks.”
Kaseya’s Turn
All of Kaseya’s competitors have faced cyberattacks, and it was Kaseya’s turn this past weekend, Voccola said.
The attackers breached less than .01% of Kaseya’s customers, he said. However, he said if he was one of those breached, “I’d be very, very frustrated — and you should be.”
“In the coming hours, we expect the RMM module of our platform IT Complete will come back online,” Voccola said.
Kaseya has met with U.S. government agencies including the FBI and the Cybersecurity and Infrastructure Security Agency (CISA). It also has engaged with the White House, and FireEye Mandiant.
“CISA is taking action to understand and address the recent supply-chain ransomware attack against Kaseya VSA and the multiple MSPs that employ VSA software,” CISA said.
Scroll through our slideshow above for the very latest on the Kaseya cyberattack.
Want to contact the author directly about this story? Have ideas for a follow-up article? Email Edward Gately or connect with him on LinkedIn. |
Read more about:
MSPsAbout the Author(s)
You May Also Like