Earlier this month, management software behemoth Kaseya notified its customers that its VSA product (which offers MSPs and other enterprise firms a “unified remote monitoring & management” IT system) had fallen victim to a ransomware attack. As an MSP ourselves here at Nutbourne, our hearts go out to all of those firms affected by the attack. It just goes to show how increasingly complex, sophisticated and often difficult to spot modern ransomware attacks can be. We wanted to take a look at what happened, in a bit more detail.
First, then, let’s take a look a more in-depth look at what happened. By exploiting a security vulnerability, cybercriminals from the ransomware group REvil (a group purportedly operating out of Russia and other Eastern European nations) were able to bypass certain authentication protocols, and subsequently distribute a loader with malicious code within.
This, essentially, granted the hackers free rein, where they could do whatever they wanted, whenever they wanted it. Once in, the criminals disabled anti-malware protections. In turn, this enabled them to execute their ransomware delivery, encrypting data on any and all infected devices. This left affected MSPs in a truly horrible situation.
What Were the Criminals’ Demands?
When it comes to ransomware, the ball is almost always very much in the hackers’ court. They hold the cards, so to speak, and this means they can typically extort huge amounts of money from affected parties. In this case, the group demanded (initially, at least) $70 million, to be paid in the form of the cryptocurrency Bitcoin. The demands were made in characteristically dramatic fashion on the part of the attackers. They published the requests on their own dark web ‘Happy Blog’ page. The group has since lowered its demands, asking now for a still huge $50 million.
Who are REvil?
This is by no means the group’s first attack, with their members having executed several high-profile ransomware attacks over the past few years – albeit, often under different names; Sodin and Sodinokibi being the two most common. This, though, was their biggest attack (in terms of the ransom demanded) to date.
Who’s Been Affected?
The downstream impacts of this attack have been huge. Kaseya’s VSA product is used by MSPs the world over, who, in turn, service clients across a virtually limitless range of industries needing IT support and guidance. So far, there have been over 1,000 confirmed victims. That figure continues to rise, however, and some analysts believe the true figure could already be nearer 2,000.
Countries affected included the US, of course, but also Sweden, New Zealand and Kenya to name just a few others. Such is the significance of the attack, that US president Joe Biden has also weighed in, espousing his confidence in the US’ domestic ability to respond to the attack. Whilst the POTUS might be confident, however, recovering from a ransomware attack of this scale is no easy feat. Something, in fact, that no amount of presidential bravado can paper over. What, then, are the next steps?
What’s Been Done? (What Can Be Done?)
Kaseya’s CEO has remained taciturn over the issue of ransom payment. He refused, in fact, to comment on whether his firm would be negotiating with “terrorists”. On the one hand, ceding to the demands would enable the group to get hold of even more sophisticated equipment. It would almost certainly increase the likelihood that attacks of this scale (and worse) will continue in the future. And that’s without even factoring in just how large a sum of money it is that the company’s expected to pay.
On the other hand, however, whilst Kaseya has since patched its software, there’s not a lot it can do about those MSPs and other companies already affected by the ransomware. The longer the ransom goes unpaid, the more badly affected these companies will likely be. It’s an unenviable situation, whichever way you look at it. It reinforces the importance of technology firms banding together and acting as collaboratively as possible, in order to stay ahead of these kinds of criminal groups.
In the meantime, alongside the patch and detection tool published by Kaseya, guidance has been published by the Cybersecurity and Infrastructure Agency (CISA) on what affected MSPs and enterprises should do, moving forward.
So, if you’d like to find out more about our work as a UK managed service provider, then get in touch! We offer a whole range of IT solutions, from cybersecurity (including ransomware) through to consultancy and vCIO services. Contact us today on +44 (0) 203 137 7273 or by filling out one of our online enquiry forms. Alternatively, you can message one of our team via Live Chat. However you wish to get in touch, we look forward to hearing from you!