Cybersecurity experts weigh in on the timing, method, and payload of what may be the biggest ransomware and supply chain attack to date, Kaseya .
According to Check Point Research, 2021 has already broken records for cyber-attacks, with an all-time high of 93% increase of ransomware and over 70% in all cyber-attacks in the US in just 12 months.
Head of Threat Intelligence at Check Point Software, Lotem Finkelsteen, predicted that the influx of these breaches is “only going to get worse.”
“I don’t think we’ve seen the peak for ransomware attacks,” he said in a statement. “The threat actors behind ransomware aren’t just becoming bigger, they’re becoming better at what they do.”
The 4th of July weekend ransomware attack on Kaseya VSA, an endpoint management and network monitoring software – apparently conducted by the Russian-speaking group REvil – represents just such a catastrophic combination of 2021’s most notorious cyber-attack trends: supply chain attacks and ransomware.
“Based on CrowdStrike’s telemetry, the recent ransomware attack on Kaseya has all the hallmarks of the threat actor PINCHY SPIDER, operator of REvil ransomware and suspected culprit of the recent attack on JBS,” said Adam Meyers, Senior Vice President, CrowdStrike Intelligence.
“The continued success of large software supply chain attacks provides an ominous outlook for organizations of all sizes as threat actors observe how profitable and wide-ranging they can be. Organizations must understand that these headlines are no longer warnings, but are a reality of what is in their future if they have not established a mature cybersecurity strategy.”
Biggest breach so far
This Independence Day offensive has reached a record of ransomware victims, with an unknown scope of attacks mostly in the US, with some victims in Europe as well.
REvil is one of the most prominent ransomware families on the planet, responsible for dozens of major breaches since 2019.
According to Check Point Research, the attackers chose this weekend and this method for a reason. They looked for a back door to over a thousand companies – one target through which they infect numerous others in a pandemic-like chain, and they picked the weekend as they know that many IT staff would be offline and that companies are often on a skeleton crew. This helps the threat actors in a few ways:
- It allows the ransomware to be fully deployed before anyone notices
- It induces more panic during response operations if key players within the victims’ environment are unavailable to respond, possibly increasing the chances that a ransom demand will be paid
“Make no mistake, the timing and target of this attack are no coincidence. It illustrates what we define as a Big Game Hunting attack, launched against a target to maximize impact and profit through a supply chain during a holiday weekend when business defenses are down,” said CrowdStrike’s Meyers. “What we are seeing now in terms of victims is likely just the tip of the iceberg.
Kevin Reed, CISO, Acronis, said that MSPs were targeted in this attack because “they have large attack surfaces, making them juicy targets to cybercriminals. One MSP can manage IT for dozens to a hundred companies: instead of compromising 100 different companies, the criminals only need to hack one MSP to get access to them all.”
“As we predicted last year, MSPs will only be targeted more in 2021 – they can be compromised via a variety of techniques, with poorly configured remote access software among the top attack vectors. Cybercriminals use vulnerabilities, like the lack of 2FA, and phishing to get access to MSPs management tools and eventually – to their clients’ machines…. This attack is already showing a larger scale – it won’t end right away, likely leading to bigger impact.”
Reed observed the fact that the ransomware was embedded in Kaseya VSA has helped it to spread to a large number of targets quickly – “similar to how WannaCry attack allowed criminals to quickly penetrate hundreds of companies.”
The attack has already directly affected dozens of MSPs, with at least 1,000 organizations that may be affected by the attack. This translates into an estimated payload amounting to several millions of dollars in potential ransom pay-outs alone – and hundreds of millions in direct losses from business closure.
For instance, Coop, a Swedish store chain affected by this attack, has been forced to close most of its 800 stores.
“While we advise to never pay the ransom, the reality is businesses that can’t rely on their incident response plan still pay the criminals – as seen in recent JBS and Colonial Pipeline cases,” said Reed. “Ransomware demands against the breached clients in this case varied from the initial demand of $44,999 to $5 million – with further possibility of steep fines from the authorities for those opting to pay.”
Reed applauded Kaseya on its quick response: “While affected MSPs are being informed to shut down on-premises VSA servers, Kaseya itself has proactively shut down its SaaS servers that run VSA for their partners. They issued the warning right after the attack was detected, without any delay – which is how it should be.”
While affected MSPs will not be able to work since remote monitoring and management (RMM) – what Kaseya VSA provides – is their main tool for IT infrastructure management, Kaseya’s response allowed the MSPs to drastically limit the number of affected businesses.
The shutdown, and alerting the world of the existing threat early on, has helped prevent the ransomware from spreading further.
“This attack is a leap forward in the scale, scope, and sophistication of attacks against the suppliers of software for MSPs,” said Reed. “No private business, public institution, tech vendor, or service provider is immune from this and should not be pointing fingers at the initial victims of the attack, nor the members of their software supply chain that were comprised as a result.”
What we can do
For companies who are running Kaseya VSA, Kaseva and Check Point have advised them to unplug it from the network immediately, even if it might be too late.
Check Point cybersecurity experts offered these additional advice:
- Use EDR, NDR and other security monitoring tools to verify the legitimacy of any new files in the environment since 02 July.
- Check with security product vendors to verify protections are in place for REvil ransomware.
- If help is needed, call in a team of experts to help verify the situation within the environment.
To at least reduce the risk of being victimized by a similar attack and avoid passing the malware on to partners and customers, Acronis’ Reed offers these tips:
- First, tend to your own backyard – renew your commitment to building a multi-layered, defence-in-depth security architecture. Consider following an open security framework like NIST 800-171 or ISO/IEC 27001 to help work through various potential risks, identify your softest spots, and shore up those defences.
- Regularly evaluate your vendors and service providers as a potential source of risk to you. We have published an e-book with recommendations on this very topic – consider any weak link in your software supply chain. Any unneeded access should be revoked, and you have to check with any given provider for the security measures in place.
- Revisit your incident response management policy. If you don’t have one – start building one immediately. Assume that some kind of cyber-attack on you will eventually succeed despite your best efforts to deploy comprehensive defences, build solid security policies, and invest in trained people. It will limit the damage, reduce the external blowback from investors, partners, and customers, and preserve the kind of forensic evidence you’ll need to avoid a recurrence of the attack.
- Install patches – while it will not protect your business from zero-day vulnerabilities, like in this case, it will help raise the bar for attackers.