Kaseya Ransomware: How It Happened?
A cybercrime organization with Russian origins called REvil claims to have infected 1 million systems across 17 countries. It is now demanding $ 70 million in bitcoins in exchange for a “universal decryptor” that will return users’ access. Hackers targeted the US IT company Kaseya, and then used that company’s software to infiltrate the victims’ systems, using a zero-day vulnerability. They also appeared to have deliberately planned the attack on the 4th of July weekend, knowing that it’s a national holiday in the US and most of the US office workers would be out of office hence there will be not enough staff to respond to a security threat in a timely manner.
In a statement, Kaseya explains:
Kaseya’s VSA product has unfortunately been the victim of a sophisticated cyberattack. Due to our teams’ fast response, we believe that this has been localized to a very small number of on-premises customers only.
VSA, the hacked Kaseya tool, is used to remotely maintain customer networks, automating security and other software updates.
In a Monday report on the attack, Sophos explained that a VSA server was hacked with the apparent use of a zero-day exploit. Like other cybersecurity companies, it accused Kaseya of aiding attackers by asking customers not to check their on-premise “working” folders for malware. From inside those folders, REvil’s code can work secretly, undetected by the security software, to disable the malware and ransomware tagging tools of the Microsoft Defender Program. Most of the victims of this organized ransomware attack were government agencies and small businesses, such as the Swedish grocery chain Coop, which had to close most of its 800 stores for the entire weekend.
This article will help you understand how the Kaseya Ransomware attack happened and how it could impact your business.
Kaseya Response: What Do We Know About the Ransomware Attack to Date?
Thousands of organizations-mostly businesses that use MSSPs to remotely manage others ‘ IT infrastructure were infected in at least 17 countries in Friday’s attack. Kaseya also said that on Monday, it is expected to report more companies as several are just returning to work.
In this particular outbreak, the REvil organization not only found a new vulnerability in Kaseya’s supply chain but it used the antimalware feature to spread its ransomware code.
The “evil genius” in this attack was that they took advantage of the perfect timing and the perfect vulnerability to leverage the attack, compromising the work of thousands of businesses.
SophosLabs shared the REvil detection spike:
The FBI briefly described the incident as follows: “A supply chain ransomware attack leveraging a vulnerability in Kaseya VSA software against multiple MSPs and their customers.”
Kaseya Ransomware Attack – How It Works?
Sophos published a full analysis describing the chain of execution all the way from Kaseya’s compromised management servers to the scrambled computers on the victims’ networks:
Who Is Behind the Kaseya Ransomware Attack?
REvil is a cybercriminal organization that is best known for extorting $11 million from the meat processor JBS last month, using again ransomware to perform the attack, after temporarily knocked out plants that process roughly one-fifth of the nation’s meat supply.
Security researchers said its ability to infiltrate anti-malware safeguards and its apparent exploitation of a previously unknown vulnerability on Kaseya servers reflect the growing financial muscle of REvil and a few dozen other top ransomware gangs whose success helps them afford the best digital burglary wares.
Kasea regularly posts updates on the attack and ongoing response efforts. They have disabled their own hosted VSA servers and SAAS servers and insist on customers disabling their own VSA servers until further notice.
A Kaseya statement on July 5th at 9:30 PM EDT said:
Our security, support, R&D, communications, and customer teams continue to work around the clock in all geographies to resolve the issue and restore our customers to service.
- To date, we are aware of fewer than 60 Kaseya customers, all of whom were using the VSA on-premises product, who was directly compromised by this attack. While many of these customers provide IT services to multiple other companies, we understand the total impact thus far has been to fewer than 1,500 downstream businesses. We have not found evidence that any of our SaaS customers were compromised.
- We have had no new reports filed of compromises for VSA customers since Saturday, July 3rd.
- VSA is the only Kaseya product affected by the attack and all other IT Complete modules are not impacted.
- We have been advised by our outside experts, that customers who experienced ransomware and receive communication from the attackers should not click on any links – they may be weaponized
Kaseya is currently working with the FBI, the US Cybersecurity and Infrastructure Security Agency (CISA), and private cybersecurity forensics firms and their executives are contacting affected customers to resolve the matter. The company’s R&D engineers are diagnosing the incident breach point and investigating how the attack code has affected customers. A Compromise Detection Tool was rolled out late on June 3 to almost 900 Kaseya customers who had requested it, and an update to this developing tool has also been distributed.
What Are the Goals of the Kaseya Attacker?
Initially, REvil was seeking $5-million payouts from the MSSPs affecter, which were its principal downstream targets in this attack, and demanding much less — just $45,000 — from their afflicted customers.
Later on, when they evaluated the impact of the security breach, the attackers said they are now demanding $ 70 million in bitcoins in exchange for a “universal decryptor” that will return users’ access. Some researchers considered the offer a PR stunt, while others thought it indicates the criminals have more victims than they can manage.
What Is the Impact of the Kaseya Attack?
Kaseya VSA vulnerability impacted thousands of businesses worldwide. It’s still unclear what is the total impact because some affected companies might have not been reported yet. Kaseya said Monday that fewer than 70 of its 37,000 customers were affected, though most were managed service providers with multiple downstream customers. “While most managed service providers must have known by Monday if they were affected, that might not be true for many of the small and medium-sized organizations they serve”- said Ross McKerchar, a CISO at Sophos- “The MSPs are flying blind because the very software tool they use to monitor customer networks was knocked out by the attack.”
Sweden may be the hardest hit — or at least most transparent about the damage. Its defense minister, Peter Hultqvist, bemoaned in a TV interview “how fragile the system is when it comes to IT security.” Most of the Swedish grocery chain Coop’s 800 stores were closed for the third day, their cash registers crippled. A Swedish pharmacy chain, gas station chain, the state railway, and public broadcaster SVT also were hit.
A big range of businesses and public agencies were affected, including financial services and travel, and also some large enterprises. The United Kingdom, South Africa, Canada, Argentina, Mexico, Indonesia, New Zealand, and Kenya were the countries affected by the breach.
The vast majority of ransomware victims would avoid admitting it publicly because of law enforcement or disclosing if they pay ransom unless required by law.
How Does the Kaseya Attack Affect Smbs?
It is estimated that 1,500 downstream businesses are currently affected by the ransomware attack.
According to reports, 800 Coop supermarket chain stores in Sweden had to temporarily close as they were unable to open their cash registers.
How Does the Kaseya Attack Affect Mssps?
Kaseya’s VSA remote monitoring and management tool was used as an attack vector to inject ransomware into the systems of more than a thousand end-customers of managed service providers (MSPs).
VSA, the Virtual System/Server Administrator, is software used by Kaseya customers to monitor and manage their infrastructure. It is supplied either as a hosted cloud service by Kaseya or via on-premises VSA servers. These SaaS VSA servers can be deployed by end-users or by MSPs. Kaseya sends out updates to these VSA servers and, on Friday, July 2, an update was distributed that contained REvil ransomware code. Kaseya reported that the MSSPs that became victims of the ransomware were the ones using on-premises. The malicious code which affected the MSSPs was then sent on to their customers. Potentially thousands of MSP client businesses were infected.
This is known as a supply chain attack, and it is similar to the SolarWinds attack (Solorigate) that was performed in December 2020, with malware installed via an update server.
What to Do to Mitigate the Security Risk for Your Clients?
The REvil ransomware performs an in-place encryption attack, and so the encrypted documents are stored on the same sectors as the original unencrypted document, making it impossible to recover the originals with data recovery tools. REvil’s efficient file system activity shows specific operations, performed on dedicated threads.
The ransomware runs storage access (the reading of original documents and writing of encrypted documents), key-blob embedding, and document renaming on multiple individual threads for doing faster damage. As each file is encrypted, a random extension is added to the end of its name.
There are some factors that stand out in this attack when compared to others. First, because of its mass deployment, this REvil attack makes no apparent effort to exfiltrate data. Attacks were customized to some degree based on the size of the organization, meaning that REvil actors had access to VSA server instances and were able to identify individual customers of MSPs as being different from larger organizations. And there was no sign of deletion of volume shadow copies—a behavior common among ransomware that triggers many malware defenses.
Ransomware attacks get more and more inventive with days and hence it gets harder for companies to be protected. Because you need to proactively set up a complicated set of measures: to attract the right people, to put proper security monitoring in place; to allow for timely response; to eventually be ready to restore from a properly handled backup.
When it comes to MSSPs being affected by ransomware, it is an issue that can destroy their reputation in front of their clients. So that it’s important to take appropriate measures to mitigate the risk of being affected by ransomware. In our previous article about Colonial Pipeline ransomware, we reviewed the top 10 security measures to take to prevent your company from the high impact of a ransomware attack:
LogSentinel SIEM has all of those features and is a SIEM system built with MSSPs in mind.
The complexity of IT systems nowadays leads to the complexity of protecting them. And while tools like SIEM are mandatory for that, they are not going to work unattended. At this point, the security complexity cannot be significantly abstracted away and so we need the tools, processes, and people to handle that complexity. However, many security processes can be automated and the time needed to detect anomalies to be significantly reduced thanks to innovative security tools. That’s why LogSentinel SIEM leverages AI and machine learning, along with pre-set rules for a more thorough overview of security threats.
How to Properly Respond to a Ransomware Infection?
If you have reasons to believe that your system has been infected with ransomware, here are the three steps you need to immediately take:
Disconnect from all Networks
- Unplug Ethernet cables; disable wifi or any other network adapters
- Put devices in Airplane Mode
- Turn off Wi-Fi and Bluetooth
These simple security measures can help in preventing the spread of ransomware to shared network resources.
Disconnect All External Devices
- USB drives
- Connected / attached phones
- External hard drives
- Any other devices connected to the network that can be compromised
Report the Incident to the security team.
Report the incident as soon as possible so that the security team can do their best to ensure business continuity.
With LogSentinel SIEM, you are alerted of all aspects of ransomware as soon as they try to infect a computer. You can then stop all attempts of the ransomware to get in and spread and thus prevent any significant damage.
Denitsa Stefanova is a Senior IT Business Analyst with solid experience in Marketing and Data Analytics. She is involved in IT projects related to marketing and data analytics software improvements, as well as the development of effective methods for fraud and data breach prevention. Denitsa supports her IT-related experience by applying her skills into her everyday duties, including IT and quality auditing, detecting IT vulnerabilities, and GDPR-related gaps.