Experts Weigh In On Kaseya Ransomware Attack


A successful ransomware attack on a single company has spread to at least 200 organizations and likely far more, making it one of the single largest criminal ransomware sprees in history. The attack believed to be carried out by the prolific ransomware gang REvil against Kaseya, an international company that remotely controls programs for companies managing internet services businesses.

Notify of
8 Expert Comments
Most Voted
Newest Oldest
Inline Feedbacks
View all comments
Lior Div
Lior Div , CEO and co-founder
InfoSec Expert
July 5, 2021 12:56 pm

<p>The global Kaseya attack is a reminder that the public and private sector need to change the way cyber conflict is fought. The truth is that attackers still enjoy the advantage. The goal isn\’t to block and prevent all attacks — an operation like Kaseya and SolarWinds demonstrates that\’s not always possible — the goal is to quickly detect suspicious or malicious activity, and ensure you have the visibility, intelligence, and context to understand and remove the threat. I believe it is our job to disrupt these operations. Technology, coupled with public &amp; private partnerships is a step in the right direction to help in this fight against the REvil ransomware gangs and others like them.</p>
<p>We need to shift focus from dealing with ransomware after the fact to disrupting the earliest stages of attacks through behavioural detections – this is the operation centric approach to cybersecurity. We can’t just focus on the ransomware attack – by then it is too late. Look at the earlier stages of the attack when criminals are inserting malicious code into the supply chain for instance. The ransomware is the symptom of the larger disease we need to treat.  </p>
<p>This newest attack will once again start the debate about whether it makes sense to rip and replace legacy computer networks used by public and private sector organisations. That simply isn\’t going to fix the problem. We have spent trillions of dollars on cybersecurity over the past 20 years. And in many ways, we\’re no safer today. We could spend another $250 billion or $250 trillion and it will only incrementally help. What matters is how the money is spent.</p>
<p>In the coming days we will learn the names of companies impacted by the Kaseya ransomware attack. We will also learn if companies are meeting the ransom demands of the REvil gang. In general, it doesn’t pay to pay ransoms. A recent Cybereason global research study found that 80 percent of companies that paid a ransom were hit a second time. Overall, paying ransoms only emboldens threat actors and drives up ransom demands. Still, whether or not to pay a ransom is an individual choice each company needs to make. Consult with your legal team, insurer and law enforcement agencies before making any decision. In those rare life or death situations, paying a ransom could very well be the right decision.</p>

Last edited 1 year ago by Lior Div
Charl van der Walt
Charl van der Walt , Head of Security Research
InfoSec Expert
July 5, 2021 1:03 pm

<p>These so-called ‘supply chain attacks’ are the consequence of several diverse factors that have colluded to make a compromise of this kind almost inevitable. One of these factors is ‘IT Interdependence’ – IT systems and the businesses that use them do not operate in isolation. As a result, the impact of a breach or compromise is never restricted to the primary target alone. </p>
<p>We simply cannot afford to think of our own security as isolated or separate from the security of our technology product or service providers, or from the myriad of other business entities or government agencies we share technology with. A shared dependency on core technologies, vendors, protocols or core Internet systems like DNS or CDNs bind businesses together just as tightly as fibre links and IP networks. Businesses in turn also bind together the suppliers who depend on them, the industries they belong to, the countries they operate in and, eventually, the entire global economy. </p>
<p>By their very nature, supply chain attacks provide the attacker with vast scope and scale, even if they take more resources and time to perpetrate. The frequency of these attacks is therefore not as important as their impact. Given the persistence of the systemic forces that enable these attacks, we anticipate that they will increase in both frequency and impact.</p>
<p>When we consider when, where and how much to invest in security, we must think beyond the single-dimensional risk we are addressing for our business and consider the impact of the secondary and tertiary effects on the broader economy when breaches and compromises happen. We need to recognise that what’s bad for society generally, is also bad for us as businesses.</p>

Last edited 1 year ago by Charl van der Walt
Jack Chapman
Jack Chapman , VP of Threat Intelligence
InfoSec Expert
July 5, 2021 1:07 pm

<p>This attack highlights once more that hackers are ready and waiting to exploit lax security and unpatched vulnerabilities to devastating effect. It also shows the importance of securing not just your own organisation, but your supply chain too. Organisations must closely examine their suppliers’ security protocols, and suppliers must hold themselves accountable, ensuring that their customers are defended from the ever-growing barrage of malicious attacks.</p>
<p>As long as there’s a chance that organisations will keep paying sizable ransoms and where there are vulnerabilities that can be exploited, cybercriminals will continue to leverage this type of attack. Organisations must step up their own protection – and ensure that their suppliers do too – to avoid becoming the next victim of ransomware.</p>

Last edited 1 year ago by Jack Chapman
Charles Carmakal
Charles Carmakal , SVP and CTO
InfoSec Expert
July 7, 2021 3:02 pm

<p style=\"font-weight: 400;\">On July 2, 2021, an affiliate of REvil/Sodinokibi exploited multiple vulnerabilities in the Kaseya VSA product to distribute a ransomware encryptor to connected endpoints. Kaseya VSA is a remote monitoring and management solution used by managed service providers (MSPs) and organizations to remotely manage computer systems. The number of impacted organizations is not currently known, but Kaseya estimates that the number of organizations impacted by the REvil ransomware disruption is under 1,500 organizations. Many of the impacted organizations are very small family businesses who are only now discovering the impacts because of the holiday weekend.</p>
<p style=\"font-weight: 400;\">REvil ransomware-as-a-service (RaaS) has been marketed in Russian-language underground forums since May 2019. In the RaaS business model, a central group develops ransomware, communicates with victims and runs back end infrastructure, while partners, or affiliates, carry out intrusions and deploy the ransomware. The RaaS is operated by the actor \"UNKN\" (aka \"Unknown\") who does not accept English-speaking partners and does not allow partners to target CIS countries, including Ukraine. While the known affiliates are Russian speaking, it is probable that some of the operators may not physically reside in Russia. Notably, following the Colonial Pipeline incident, UNKN made an effort to restrict targeting of REvil affiliates, insisting on vetting targets prior to ransomware deployment.</p>
<p style=\"font-weight: 400;\">REvil took credit for the operation on the evening of July 4<sup>th</sup>, claiming to have impacted over a million systems. They are asking $70 million for a universal decryptor which could be used to unlock any system affected by this incident. This exorbitant demand is the largest on record. In private conversations, REvil has proactively decreased their demands, and they have been known to exaggerate the scope and impact of their intrusions. Furthermore, at this time, REvil has not leaked data from their intrusions, a scheme they often use to pressure victims into paying ransoms. As long as criminals can demand ransoms in the tens of millions of dollars, and are unlikely to face jail, this problem will continue to grow from bad to worse. These actors are well-funded and highly-motivated and only dramatic, collaborative action is going to turn back the tide.</p>

Last edited 11 months ago by Charles Carmakal
Casey Ellis
Casey Ellis , CTO and Founder
InfoSec Expert
July 7, 2021 3:05 pm

<p style=\"font-weight: 400;\">The thing I find most concerning about this attack is the coupling of supply-chain techniques to gain access with the incentives and devastating impacts of ransomware, including the encryption of and denial of service to systems and data. </p>
<p style=\"font-weight: 400;\">Something that is immediately interesting about this attack is the fact that only 8 months after SolarWinds – a relatively non-destructive nation-state supply chain attack – it looks as though cybercriminals, or smaller financially motivated nation-states, are deploying these techniques. </p>
<p style=\"font-weight: 400;\">This means they have the resources to create or procure the necessary tooling, possibly out of the proceeds of other ransomware operations. The REvil operators set their ransom between 45k and 5M USD per organization, and have since released an offer of 50M USD to decrypt all systems affected by this attack. Aside from being the largest ransomware payment in history, this would provide ample capital for REvil to reinvest in progressively better and more invasive tooling for future attacks.</p>
<p style=\"font-weight: 400;\">It also raises the topic of whether you\’d prefer to get hacked by Russia, or the REvil gang. Nation state attacks have national security and economic implications, while cybercriminals tend to be more destructive and impactful to the affected business themselves.</p>
<p style=\"font-weight: 400;\"> </p>

Last edited 11 months ago by Casey Ellis
Saumitra Das
Saumitra Das , CTO and Co-founder
InfoSec Expert
July 8, 2021 9:08 am

<p>This is another reminder that supply chain attacks remain an issue after the Solarwinds breach brought this topic to the forefront. Organizations are thinking harder about the supply chain security of their vendors and partners. But ultimately, they will need to limit the blast radius inside their networks assuming their vendors and partners do get compromised. The speed at which this Kaseya attack evolved was notable give these tools were used for remote IT management and had the privilege to do operations inside the organizations\’ networks on behalf of their MSP.</p>
<p>This is one among a host of supply chain issues this year and specifically issues caused by security vendors themselves. Security itself needs to be agentless and deployed isolated or with the least privilege so it does not contribute to increasing attack surface. VPNs, firewalls, email gateways have all been misused recently to gain a foothold with privilege inside an organization’s network without having to phish a user or hope for open RDP to compromise.</p>
<p>Attackers are not just targeting governments and infrastructure company supply chains but anyone who gives them a foothold into multiple organization’s networks. While this may not cause disruptions to our infrastructure like the Colonial Pipeline attack, it is nevertheless a huge burden for lots of SMB and mid-market organizations that are already struggling with budget and skill shortage issues.</p>
<p>Organizations need to focus on detection and response because clearly current technology, configurations and the endless stream of security supply chain vulnerabilities together make it hard to prevent initial access into networks.</p>

Last edited 11 months ago by Saumitra Das
Romain Lecoeuvre
InfoSec Expert
July 8, 2021 9:15 am

<p>The Kaseya cyberattack demonstrate the ability of one attack to target a very large number of users, servers and workstations at once, using a \"trusted\" distribution vector within the information systems of its partners or customers to mass distribute malicious code. To combat this type of threat, businesses have to put rules in place to protect their customers, employees and reputation now, before it’s too late.  </p>
<p>To do so, they must: </p>
<li>Deploy a strong integrity control strategy </li>
<li>Require a strong authentication (MFA) for administration or development actions </li>
<li>Check or have checked regularly the different components of your IS </li>
<li>Reduce as much as possible the permissions and the scope of code coming from third parties </li>
<li>Have a BCP/BRP (Business Continuity Plan/Business Recovery Plan) to be able to react quickly and efficiently in case of an incident </li>
<p>By implementing these rules, businesses can ensure that regardless of the threat surface, that their data, customers and employees remain protected.  </p>

Last edited 11 months ago by Romain Lecoeuvre
Jeff Costlow
Jeff Costlow , CISO
InfoSec Expert
July 8, 2021 9:21 am

<p>Kaseya is a terrifying example of how quickly cybercriminals are adopting Advanced Persistent Threat (APT) tactics. In the Kaseya attack, the threat actors deliberately targeted a well-established but little-known software management firm that would allow them access to hundreds of other environments. They meticulously researched their target and found a zero day flaw in their software. They then exploited it and waited for a long holiday weekend to detonate their ransomware.</p>
<p>This technique parallels almost exactly the techniques used by nation-state adversaries in the NotPetya attack four years ago –– which used an exploit in Ukrainian tax software MeDoc –– and more recently, in the SolarWinds SUNBURST attack. Both NotPetya and SUNBURST used exploits in software that was widely used but little known to the public to disseminate malware on a massive scale. Both waited for national holidays (the former in the Ukrainian, the latter in the US) when many were out of the office to detonate their attacks.</p>
<p>The fact that techniques that were once the dominion of the most advanced nation states are now being used to extract multi-million dollar ransoms should serve as a stark warning for every organization and every software vendor. The threat of sanctions or other diplomatic repercussions is of no concern to cybercriminals that operate outside the bounds of any government. Ransomware is now an advanced persistent extortionate threat –– one that’s far more calculated than opportunistic. </p>

Last edited 11 months ago by Jeff Costlow
Information Security Buzz
Would love your thoughts, please comment.x