Security Experts Sound Alarm Over Kaseya Ransomware Attack

2021 has already broken records for cyber attacks, with an all-time high of 93% increase of ransomware and the latest victim creating ripples in the cyber world is US-based IT firm Kaseya. Between 800 and 1,500 businesses around the world have been affected by the ransomware attack apparently conducted by the Russian group REvil, which experts believe is a catastrophic combination of notorious cyber attack trends, supply chain attacks and ransomware.

With the threat landscape becoming complex, experts believe that this should be a wakeup call for other global companies in order to guard their turfs.

Kaseya provides software tools to IT outsourcing shops and firms that typically handle back-office work for very small businesses like grocery stores, small retail outlets and kindergartens to name a few that do not have their own tech departments. Fred Voccola, the company’s CEO, said in an interview that it was hard to estimate the precise impact of the attack because those hit were mainly customers of Kaseya’s customers.

About a dozen different countries have had organizations affected by the breach in some way, according to research published by cybersecurity firm ESET.

 A fixed pattern in every attack?

Sophos researchers see this as a supply chain distribution attack, in which the adversaries are using MSPs as their distribution method to hit as many businesses as possible, regardless of size or industry type.

“This is a pattern we’re starting to see as attackers are constantly changing their methods for maximum impact, whether for financial reward, stealing data credentials and other proprietary information that they could later leverage, and more. In other wide scale attacks we’ve seen in the industry, such as WannaCry, the ransomware itself was the distributor – in this case, MSPs using a widely used IT management are the conduit,” says Mark Loman, Sophos Director of Engineering.

Lotem Finkelstein, Head of Threat Intelligence, Check Point Software Technologies observes that hackers often choose a holiday, a crisis or a busy time when just no one notices them, and in this case it was July 4 weekend.

“This was the right opportunity as IT staff goes offline and that companies are often on a skeleton crew, where eyes aren’t watching,” he says adding that it induces more panic during response operations if key players within the victims environment are unavailable to respond, possibly increasing the chances that a ransom demand will be paid.

 To pay or not to pay

As the topic of ransom payments has become increasingly fraught as ransomware attacks become increasingly disruptive (and lucrative), it is interesting to note that hackers who claimed responsibility for the breach have demanded $70 million to restore all the affected businesses’ data.

Voccola refused to say whether he was ready to take the hackers up on the offer but also comments, “No comment on anything to do with negotiating with terrorists in any way.”

The CEO has spoken to officials at the White House, the Federal Bureau of Investigation, and the Department of Homeland Security about the breach.

Jonathan Knudsen, Senior Security Strategist, Synopsys Software Integrity Group believes that as ransomware attack continue to emerge, questions will be asked. “Will the ransom be paid? Can organizations recover their data? What kind of damage will this cause? But the only question that matters is: how can a problem like this be prevented?” he says.

“The reason ransomware is so successful is that so few organisations are properly prepared. Organisations often focus solely on functionality when selecting, deploying, and operating software. They work hard to make software do what they want it to do, but security and robustness are often neglected or ignored,” says Knudsen.

Kevin Reed, CISO at global cyber protection company Acronis, says, “Far as we’re aware, REvil’s systems involve high degree of automation – humans are only involved if a victim wants to negotiate a price. So, they may not really need to scale to cover the “long tail” of $45,000 ransoms. Victim pays to a predefined Bitcoin wallet, they detect the payment and release the decryption key for the victim – no human involved at this stage.

Reed believes, the offer of a universal decryptor is a PR stunt. If they indeed encrypted 1 million systems, assuming 1,000 systems per victim, it’s in the range of 1,000 victims – which correlates with some of the earlier findings reported.

With an average of $45,000 per victim – was their standard fee in this case – that makes up $45 million. Yes, some victims were individually targeted and had higher ransoms, but I doubt the total target reached $70 million.

Also, those individually targeted victims will be handled by humans anyway and their numbers seem not large enough at this point to impose the REvil scale-out problem, he says.

Leveraging on zero-day exploit

According to experts, a day after the attack, it became more evident that an affiliate of the REvil Ransomware-as-a-Service (RaaS) leveraged a zero-day exploit that allowed it to distribute the ransomware via Kaseya’s Virtual Systems Administrator (VSA) software. Usually, this software offers a highly trusted communication channel that allows MSPs unlimited privileged access to help many businesses with their IT environment.

Cyberint’s Research team recommended certain measures for the affected organizations. It recommends that organizations using Kaseya VSA on-premise should immediately keep their servers offline until further notice and to monitor Kaseya’s website for further information. Also those using VSA will need to download and install a patch prior to restarting their servers although, for safety, steps should be taken to verify the source of any update prior to installation.

“To prevent accidental or malicious disruptions, organisations must adopt a proactive, security-first approach to software. Where is your data? How is it protected? If something bad happens, like a ransomware attack or a tsunami, how will you recover? Software is a powerful tool for organisations of all kinds, but it must be selected, deployed, operated, and maintained inside a framework of security and resilience, comments Knudsen.

“This attack should sound alarm for all companies. When you let your guards down, the attackers arrive. We should expect more attacks to strike during holidays and weekends, and with remote work generating the new normal, today’s hackers are more effective than ever,” Finkelstein adds.

He believes that the influx of these breaches is only going to get worse. The threat actors behind ransomware aren’t just becoming bigger; they’re becoming better at what they do.