Four cyber-experts weigh in the zero-day exploit where “All your network has been locked. You have 10 days to contact us.”
The recent revil ransomware attack on Kaseya has elicited a unified response from cybersecurity experts: detection and monitoring at the earliest stage are keys to protecting the network.
On 4 July this year, the Russian threat group REvil took credit for the attack on Kaseya Virtual Systems Administrator (VSA), an endpoint management and network monitoring software used by managed service providers (MSPs). An estimated 1,500 organizations were affected by the attack, and US$70m is the reported ransom.
What could have been done better to avert or crippled this attack?
EDR is his approach
According to Lior Div, CEO and co-founder, Cybereason, continuous monitoring and vigilance in the form of EDR (Endpoint Detection & Response) is the solution: “The truth is that attackers still enjoy the advantage. The goal isn’t to block and prevent all attacks—we need to shift focus from dealing with ransomware after the fact to disrupting the earliest stages of attacks through behavioral detections. This is the operation-centric approach to cybersecurity. We can’t just focus on the revil ransomware attack: by then it will be too late. Look at the earlier stages of the attack when criminals are inserting malicious code into the supply chain for instance. The ransomware is the symptom of the larger disease we need to treat.
As for the ransom payment, Div felt that it does not make sense to pay ransoms. A recent study by his firm had found that 80% of respondents that had paid a ransom were hit a second time. “Overall, paying ransoms only emboldens threat actors and drives up ransom demands. Still, whether or not to pay a ransom is an individual choice each company needs to make. Consult with your legal team, insurer and law enforcement agencies before making any decision. In those rare life-or-death situations, paying a ransom could very well be the right decision.”
Continuous monitoring is vital
Echoing the need for continuous monitoring, particularly on system administration, was Lavi Lazarovitz, Senior Director of Cyber Research, CyberArk Labs: “In early communications by Kaseya, the company warned of the criticality of shutting down the servers that VSA runs on, ‘because one of the first things the attacker does is shut off administrative access to the VSA’. Monitoring and protecting this admin, or privileged access is critical to identifying and mitigating the risk of lateral movement and further network compromise. In the case of an MSP, controlling admin rights means attackers can gain incredible scale—likely across hundreds of the MSP’s customers. Privileged credentials continue to be the attackers’ ‘weapon of choice’ and are utilized in nearly every major targeted attack.”
Full visibility is the key
According to yet another expert, Matthew Sanders, Director of Security, LogRhythm: “Aside from planning their response to a successful attack, organizations should keep their prevention and detection technologies top-of-mind by ensuring that they have the appropriate protective controls in place, as well as visibility into what is happening across their environment. A properly configured security monitoring solution that has full visibility into the environment with robust automated response capability would help organizations identify malicious activity and thwart bad actors before ransomware can take hold.”
Finally, another expert, Jeff Costlow, Senior Director of Cyber Research, ExtraHop, stated: “Kaseya is a terrifying example of how quickly cybercriminals are adopting Advanced Persistent Threat tactics that only the most advanced nation states could afford but these are now being used to extract multi-million dollar ransoms. This should serve as a stark warning for every organization and every software vendor: the threat of sanctions or other diplomatic repercussions is of no concern to cybercriminals that operate outside the bounds of any government. Ransomware is now an advanced persistent ‘extortionate threat’—one that is far more calculated than opportunistic.”
With that in mind, organizations can choose to take heed of expert advice, or be vulnerable to malicious actors on top of the regulatory, legal and reputational consequences.