In early July, the Russian hacker organisation REvil launched a ransomware attack, demanding payment of $70 million from Kaseya. The company provides IT infrastructure management solutions for Managed Service Providers (MSPs) and internal IT organisations and serves customers worldwide.
This attack is one of the latest incidents the US government is trying to eradicate, but concern extends far beyond the US border since as many as 1,500 companies worldwide may be affected.
In this blog, we will look back at this attack and its impact, as well as tips for spotting – and preventing – future cyber threats.
Just before the 4th of July weekend 2021, hackers attacked the US-based Kaseya, holding more than 1,000 companies ransom. The ransomware was released through a malicious patch via Kaseya's VSA server on July 2, and – as a result – thousands of nodes in hundreds of companies were easily compromised and encrypted. VSA is a popular software for managing remote networks, used by many MSPs that provide IT services to other companies. Like in other types of backdoor attacks, network management software is a good place to hide malware, as these systems can usually visit many sites and perform many tasks, making them especially difficult to monitor.
When the REvil organisation released the malicious patch containing a payload named "Sodinokibi" it proceeded to encrypt servers and shared folders. Unlike the SolarWinds supply chain attack, the company's update server was compromised yet Kaseya's infrastructure does not appear to have been affected. The computer code behind the Kaseya attack was developed in such a way that the malware avoids systems using Russian or related languages. This was the common thread in the Darkside ransomware attack on Colonial Pipeline and supports allegations that a Russian-government sponsored group is responsible.
"All on-site VSA servers will remain offline until Kaseya provides further instructions to safely resume operations," the company said, though it did not specify the extent of the attack. "Due to our team's quick response, we believe this attack is limited to a very small number of customers," Kaseya tried to assure – but the damage could prove far-reaching.
Commenting on the incident through his Twitter account, John Hammond, senior security researcher at Huntress Labs, explained, " Kaseya handles large enterprise all the way to small businesses globally, so ultimately, (this) has the potential to spread to any size or scale business.”
Swedish supermarket chain Coop had to close more than 800 shops on Saturday, July 3, making its checkout unavailable, according to the company’s Facebook page. And according to Swedish media, pharmacy chain Apotek Hjärtat and Finnish energy company ST1 were also affected. It has been revealed that the cybercriminals sent two different ransom demands directly to businesses, asking for $50,000 from small businesses and $5 million from large companies.
To further complicate matters, the REvil websites on the dark web have themselves gone dark. They have been offline for several weeks as discussions on why they were taken down – and by whom – continue. No one is sure who is responsible. Is it the US government? Is it Russia? Sadly, until REvil goes back online, many of their attack victims aren’t sure when they will be able to unlock their encrypted data.
Why such a large attack?
As stated upfront, Kaseya has confirmed that around 1,500 businesses have been affected by the attack. "To date, we know of fewer than 60 Kaseya customers, all of whom were using the on-premises VSA product, who were directly compromised by this attack. While many of these customers provide IT services to many other businesses, we understand that the total impact to date has been less than 1,500 downstream businesses. We have found no evidence that any of our SaaS customers have been compromised," Kaseya said in an update on the attack.
The company’s VSA software monitors its customer’s fleet of machines. In the hands of the hackers, the software turned into a malware distributor, rendering files unreadable, business email unusable, and machines inoperable. Kaseya immediately called on companies to shut down the servers, which then impacted thousands of customers.
What makes this hack particularly serious?
The hackers infiltrated Kaseya, gained access to its customers' data, and demanded a ransom for its return. According to experts, what makes this hack particularly serious is the fact that Kaseya is an MSP – its systems are used by companies that are smaller, with modest technical departments and resources. Through regular updates, Kaseya ensures the security of its systems, however in this case, the security features were hijacked to spread malware on the client systems. Even more serious is the fact that the malicious actors behind the attack targeted systems typically used to protect customers from malware, said Doug Schmidt, a computer science professor at Vanderbilt University.
"It's very scary for many reasons - it's a totally different type of attack than we've seen before," Schmidt said. "If you can attack someone through a trusted channel, it's incredibly invasive - it's going to ricochet way beyond the attacker's wildest dreams."
Why we should all care about the prevalence of ransomware
The term ransomware generally refers to malware that locks a victim's computer until a digital ransom is paid, usually in the form of bitcoins. Ransomware attacks have been around for years and often target individuals or small businesses to extort payments to unlock data.
In recent years, criminals have become more aggressive, attacking larger and potentially more lucrative targets. They are constantly improving and becoming more sophisticated since the first recorded event in 1989. In their crude form, ransomware is unencrypted – but modern hackers are using cryptographic methods to encrypt files, making them inaccessible to the original owners. Ransomware encryption can also be used on hard drives to completely lock down the computer's operating system and prevent the victim from accessing it.
Despite its name, there is no guarantee that any ransom payments made will be honoured by the attackers – putting victims in a terrible position. Even more unfortunate, the popularity of ransomware has increased significantly over the past decade. As a financially motivated cyber attack, it is currently the leading malware-related threat in the world, as reported by Europol (IOCTA 2018).
How do businesses get trapped?
Ransomware can reach your computer in a number of ways, but they are usually contained in email attachments. Here are three of the most common types of cyber attacks utilizing ransomware:
- Phishing: A form of social engineering where hackers trick victims into opening and engaging with messages. In the context of ransomware, phishing emails are one of the most common forms of malware distribution. Victims are usually infected by compromised attachments or links disguised as legitimate. In a network of computers, one victim can be enough to compromise an entire organisation.
- Exploit kits: A collection of various malicious tools and pre-written exploit code. These kits are designed to exploit problems and vulnerabilities in software applications and operating systems as a means of spreading malware (insecure systems running outdated software are the most common targets).
- Malvertising: Attackers use advertising networks to spread ransomware.
These are just a few examples of attacks that should be on your radar but, of course, there are plenty of other ways your company can get burned online. Learn more about the different ways your business can be targeted by hackers and how to protect yourself through our cybersecurity awareness interactive infographic.