Ransomware Attack on Kaseya, One of the Biggest Cyberattacks on Record

BLOG

Ransomware Attack on Kaseya, One of the Biggest Cyberattacks on Record

  • HOME
  • News & Blog
  • Ransomware Attack on Kaseya, One of the Biggest Cyberattacks on Record

The firm Kaseya, which helps companies remotely manage their IT infrastructure (among other services), was hit on Friday with an attack believed to have been carried out by a Russian-linked cybercrime gang REvil.

The attack infected hundreds of companies in at least 17 countries.

Intwo Incident Response Plan

Pursuant to our Intwo incident response plan, we have notified key personnel and immediately assessed any potential risks in our systems and our customers. Our team of experts have confirmed that we do not use the breached software known as Kaseya VSA, which means that our clients have not been affected by the attack. Our team has also confirmed that the remote management tools that are currently being used by InTWO are fully patched and up to date. This will minimize any potential cybersecurity vulnerabilities for this and other cyber-threats.

Here at Intwo, our team of experts are vigilant and proactive when it comes to providing protection and security to our customers, their infrastructure, and their data.

Please feel free to reach out with any questions regarding this or any cyber incident you may have experienced, or if you would simply like to discuss how Intwo can help your team establish the best security posture and practices for your business.

What Happened With Kaseya

The product that was affected was software that provides a single framework for maintaining the IT policies of a company and helps them manage remote endpoints. The software provides the ability to monitor devices, provide patching updates to enhance the security of IT infrastructure, and control endpoint systems remotely.

On Saturday morning, Kaseya confirmed that it had suffered a “sophisticated cyberattack” on its VSA software, the main tool for remote control. The company said that only about 40 customers had been affected. But because Kaseya’s software is used by large IT companies that offer contract services to hundreds of smaller businesses, the hack could have spread to thousands of victims.

On July 2, the business issued a security advisory urging its nearly 40,000 customers to disconnect their Kaseya software immediately to shut down any versions of VSA running on their own servers. It also suspended its own cloud based VSA service. The cybersecurity firm Huntress Labs (2021) said it had tracked 20 IT companies, known as managed-service providers, that had been hit by this cyber-attack.

The company is at the epicenter of a security crisis that combines two of the most devastating tactics being deployed by hackers today: supply chain attacks and ransomware. The former involves targeting companies whose software is widely used by other businesses. Once inside the supplier’s system, attackers use it as a jumping off point to access its customers’ networks as well. The attackers will then install ransomware, which locks up victims’ data, only releasing the data once the ransom payment has been made, typically in untraceable cryptocurrencies. It is possible that the attacker does not release the data after the payment has been made, which is why experts do not recommend paying the ransom.

The chain reaction of events affected hundreds of companies, including a railway, pharmacy chain and in Sweden, the grocery retailer Coop was forced to close at least 800 stores on Saturday, according to Sebastian Elfors, a cybersecurity researcher for the security company Yubico. Outside Coop stores, signs turned customers away: “We have been hit by a large IT disturbance and our systems do not work”, as seen below.

grocery retailer Coop

This is a map provided by Welive Security (2021) depicting victims of the Kaseya cyberattack by country, darker green being the most affected and light green the least.

map
by: https://www.welivesecurity.com/ 

Kaseya has continually posted alerts to its website since Friday promising updates to the software for better security and a compromise detection tool to customers that requested it. Since Saturday, there have been no new attacks reported besides the 60 official customers that were hit. Since this was a supply chain attack, there is a large number of small businesses unaccounted for which could rise to the thousands if not resolved quickly.

REvil ransomware has set a price for decrypting all systems locked during the Kaseya supply-chain attack. The group wants $70 million in Bitcoin payment for access to the tool that allows all affected businesses to recover their files. This is the highest ransom demand to date; the previous record also belonging to REvil, asking $50 million after attacking Taiwanese electronic and computer maker Acer. After the demand was made there has not been any updates on the matter by July 5, 2021.

President Biden suggested on Saturday that the U.S. would respond if it were determined that Germany is at all involved. Less than a month ago, he pressed Russian President Vladimir Putin to stop providing a safe haven to REvil and other ransomware gangs who’s unrelenting extortionary attacks the U.S. deems a national security threat.

Ransomware Protection Tips

There are many ways that you are able to better protect against ransomware and related threats. The cybersecurity and infrastructure security agency (CISA) provides these three basic recommendations that will help companies and users be better protected against ransomware attacks:

  • Back up your computer – Perform frequent backups of your system and other important files and verify your backups regularly. If your computer becomes infected with ransomware, you can restore your system to its previous state using your backups.
  • Store your backups separately – Best practice is to store your backups on a separate device that cannot be accessed from a network, such as on an external hard drive. Once the backup is completed, make sure to disconnect the external hard drive, or separate device from the network or computer.
  • Train your organization – Organizations should ensure that they provide cybersecurity awareness training to their personnel. Ideally, organizations will have regular, mandatory cybersecurity awareness training sessions to ensure their personnel are informed about current cybersecurity threats and threat actor techniques. To improve workforce awareness, organizations can test their personnel with phishing assessments that simulate real-world phishing emails.

Intwo Cybersecurity Global Team

Frequently Asked Questions.

The Kaseya ransomware attack was a sophisticated cyberattack on Kaseya’s VSA software, the company’s main remote control tool used by IT managed service providers worldwide. The attack was carried out on a Friday in July 2021 and infected hundreds of companies across at least 17 countries. Kaseya helps businesses remotely manage their IT infrastructure, so the breach gave attackers a single jumping off point to reach thousands of downstream small businesses. It quickly became one of the biggest cyberattacks on record.

The Kaseya cyberattack is believed to have been carried out by REvil, a Russian-linked cybercrime gang. The group has been responsible for several major ransomware operations and was already known to global security agencies for its extortion-focused tactics. President Biden suggested that the United States would respond if Russia was determined to be involved. Less than a month before the attack, he had pressed Russian President Vladimir Putin to stop providing a safe haven to REvil and other ransomware gangs, whose attacks the US deems a national security threat.

Kaseya initially confirmed about 40 customers were directly affected, but because its software is used by large IT companies that serve hundreds of smaller businesses each, the impact spread to hundreds of companies across at least 17 countries. Cybersecurity firm Huntress Labs tracked 20 IT companies, known as managed-service providers, that were hit. The Swedish grocery retailer Coop was forced to close at least 800 stores on the Saturday after the attack, putting up signs that read “We have been hit by a large IT disturbance and our systems do not work”.

Kaseya VSA is software that provides a single framework for maintaining the IT policies of a company and helps manage remote endpoints. It can monitor devices, deliver patching updates to enhance security, and control endpoint systems remotely. These same capabilities made it an attractive target. By compromising one supplier whose software runs across many businesses, attackers could use VSA as a jumping off point to reach customer networks at scale. On July 2, Kaseya urged its nearly 40,000 customers to disconnect VSA immediately and suspended its own cloud-based service.

A supply chain ransomware attack combines two of the most devastating tactics deployed by hackers today. The supply chain element involves targeting companies whose software is widely used by other businesses. Once inside the supplier’s system, attackers use it as a jumping off point to access customer networks as well. The ransomware element then locks up victims’ data, releasing it only once a ransom is paid, typically in untraceable cryptocurrencies. It is possible the attacker never releases the data even after payment, which is why experts do not recommend paying.

REvil demanded 70 million US dollars in Bitcoin for a universal decryptor that would unlock all systems affected by the Kaseya supply chain attack. This was the highest ransom demand on record at the time. The previous record also belonged to REvil, which had demanded 50 million dollars from Taiwanese electronics and computer maker Acer earlier in 2021. The sheer scale of the demand reflects how a single supply chain attack can compound leverage across hundreds of victim organisations simultaneously, making such attacks far more profitable than targeting one company at a time.

No, Intwo was not affected by the Kaseya attack. Pursuant to our incident response plan, we notified key personnel and immediately assessed any potential risks across systems and customers. Our experts confirmed that Intwo does not use the breached software known as Kaseya VSA, which means our clients were not affected. Our team also confirmed that the remote management tools currently used by Intwo are fully patched and up to date, which minimises potential cybersecurity vulnerabilities for this and other cyber-threats.

Intwo follows a structured incident response plan that activates the moment a major cyber threat is reported anywhere in the supply chain. Key personnel get notified, potential risks across Intwo systems and customer environments are immediately assessed, and the team verifies which software products are in use and whether any breach vector applies. Tools in active use are confirmed as fully patched and up to date. Customers receive clear communication about whether they are affected and what protective steps Intwo has already taken on their behalf.

The Cybersecurity and Infrastructure Security Agency, or CISA, provides three basic recommendations for protecting against ransomware. First, back up your computer with frequent backups of your system and important files, and verify the backups regularly so they can be relied on for restoration. Second, store your backups separately on a device that cannot be accessed from a network, such as an external hard drive, and disconnect it once the backup completes. Third, train your organisation through regular, mandatory cybersecurity awareness sessions, including phishing assessments that simulate real-world attacks.

Businesses can protect against future ransomware by combining the CISA recommendations with strong managed security services. Regular offline backups, separate storage, and routine staff awareness training form the foundation. Beyond that, working with an Azure Expert MSP like Intwo brings active monitoring, patched remote management tools, a dedicated Security Council, and an incident response plan that activates automatically when threats emerge anywhere in the wider supply chain. With more than 20 years of experience, Intwo helps businesses establish the right security posture and practices to limit damage when attacks occur.

X
Need assistance?
Let’s connect