Ransomware Attack on Kaseya, One of the Biggest Cyberattacks on Record

Back to overview
Ransomware Attack on Kaseya, One of the Biggest Cyberattacks on Record

The firm Kaseya, which helps companies remotely manage their IT infrastructure (among other services), was hit on Friday with an attack believed to have been carried out by a Russian-linked cybercrime gang REvil. The attack infected hundreds of companies in at least 17 countries. 

InTWO Incident Response Plan

Pursuant to our InTWO incident response plan, we have notified key personnel and immediately assessed any potential risks in our systems and our customers. Our team of experts have confirmed that we do not use the breached software known as Kaseya VSA, which means that our clients have not been affected by the attack. Our team has also confirmed that the remote management tools that are currently being used by InTWO are fully patched and up to date. This will minimize any potential cybersecurity vulnerabilities for this and other cyber-threats. 

Here at InTWO, our team of experts are vigilant and proactive when it comes to providing protection and security to our customers, their infrastructure, and their data. 

Please feel free to reach out with any questions regarding this or any cyber incident you may have experienced, or if you would simply like to discuss how InTWO can help your team establish the best security posture and practices for your business. 

What Happened With Kaseya

The product that was affected was software that provides a single framework for maintaining the IT policies of a company and helps them manage remote endpoints. The software provides the ability to monitor devices, provide patching updates to enhance the security of IT infrastructure, and control endpoint systems remotely. 

On Saturday morning, Kaseya confirmed that it had suffered a “sophisticated cyberattack” on its VSA software, the main tool for remote control. The company said that only about 40 customers had been affected. But because Kaseya’s software is used by large IT companies that offer contract services to hundreds of smaller businesses, the hack could have spread to thousands of victims. 

On July 2, the business issued a security advisory urging its nearly 40,000 customers to disconnect their Kaseya software immediately to shut down any versions of VSA running on their own servers. It also suspended its own cloud based VSA service. The cybersecurity firm Huntress Labs (2021) said it had tracked 20 IT companies, known as managed-service providers, that had been hit by this cyber-attack.  

The company is at the epicenter of a security crisis that combines two of the most devastating tactics being deployed by hackers today: supply chain attacks and ransomware. The former involves targeting companies whose software is widely used by other businesses. Once inside the supplier’s system, attackers use it as a jumping off point to access its customers’ networks as well. The attackers will then install ransomware, which locks up victims’ data, only releasing the data once the ransom payment has been made, typically in untraceable cryptocurrencies. It is possible that the attacker does not release the data after the payment has been made, which is why experts do not recommend paying the ransom. 
 
The chain reaction of events affected hundreds of companies, including a railway, pharmacy chain and in Sweden, the grocery retailer Coop was forced to close at least 800 stores on Saturday, according to Sebastian Elfors, a cybersecurity researcher for the security company Yubico. Outside Coop stores, signs turned customers away: “We have been hit by a large IT disturbance and our systems do not work”, as seen below.

This is a map provided by Welive Security (2021) depicting victims of the Kaseya cyberattack by country, darker green being the most affected and light green the least.

by: https://www.welivesecurity.com/ 

Kaseya has continually posted alerts to its website since Friday promising updates to the software for better security and a compromise detection tool to customers that requested it. Since Saturday, there have been no new attacks reported besides the 60 official customers that were hit. Since this was a supply chain attack, there is a large number of small businesses unaccounted for which could rise to the thousands if not resolved quickly.  

REvil ransomware has set a price for decrypting all systems locked during the Kaseya supply-chain attack. The group wants $70 million in Bitcoin payment for access to the tool that allows all affected businesses to recover their files. This is the highest ransom demand to date; the previous record also belonging to REvil, asking $50 million after attacking Taiwanese electronic and computer maker Acer. After the demand was made there has not been any updates on the matter by July 5, 2021.  
 
President Biden suggested on Saturday that the U.S. would respond if it were determined that Germany is at all involved. Less than a month ago, he pressed Russian President Vladimir Putin to stop providing a safe haven to REvil and other ransomware gangs who’s unrelenting extortionary attacks the U.S. deems a national security threat. 

Ransomware Protection Tips

There are many ways that you are able to better protect against ransomware and related threats. The cybersecurity and infrastructure security agency (CISA) provides these three basic recommendations that will help companies and users be better protected against ransomware attacks: 

  • Back up your computer – Perform frequent backups of your system and other important files and verify your backups regularly. If your computer becomes infected with ransomware, you can restore your system to its previous state using your backups. 
  • Store your backups separately – Best practice is to store your backups on a separate device that cannot be accessed from a network, such as on an external hard drive. Once the backup is completed, make sure to disconnect the external hard drive, or separate device from the network or computer. 
  • Train your organization – Organizations should ensure that they provide cybersecurity awareness training to their personnel. Ideally, organizations will have regular, mandatory cybersecurity awareness training sessions to ensure their personnel are informed about current cybersecurity threats and threat actor techniques. To improve workforce awareness, organizations can test their personnel with phishing assessments that simulate real-world phishing emails. 

InTWO Cybersecurity Global Team