Kaseya Ransomware Cyberattack
This is the latest ransomware attack in the recent string of attacks such as fuel supplier Colonial Pipeline and JBS Foods, a meat processor
With their data seized and demands of $70 million in Bitcoin, Kaseya is suffering one of the largest ransomware attacks that has happened over the past few years. Kaseya is a tech company that helps smaller companies manage their IT, an important service for small firms. They sell their technology to third-party service providers who manage the IT for small and medium sized companies, who are unable to have their own technology departments. This means that the criminal hackers had access to a myriad of different companies’ software, releasing malware into the latest security update from Kaseya. The attack has already wiped out dozens of IT support firms that use Kaseya’s remote management tool. This is the latest ransomware attack in the recent string of attacks such as fuel supplier Colonial Pipeline and JBS Foods, a meat processor.
The attack happened just before the fourth of July weekend celebrations, which gave the hackers more time to encrypt files and devices before anyone could notice or respond. The Virtual System/Server Administrator (VSA), used by Kaseya customers to manage and monitor infrastructure, is either supplied as a hosted cloud service or on an on-premises VSA server. The VSA server updates happen regularly, and on Friday 2nd July, a server update was released that contained malicious code that allowed REvil - the criminal hacker group- to hack into customers data and demand ransom for the return of said data. Around 30 of the affected customers were Managed Service Providers (MSP) and was therefore passed on to all their customers who used this software. Thousands have been affected and are being urged to not click on links as they may contain malware, though it hasn’t been outlined as of yet what they should actually do in this instance. Kaseya has reported that around 800 to 1,500 businesses have been affected, but private researchers estimate the figure is closer to 2,000. A variety of companies have been burdened by the attack, including local and state governments and agencies, dentist’s offices, even supermarkets in Sweden and schools in New Zealand.
“This is very scary for a lot of reasons – it’s a totally different type of attack than what we have seen before,” Doug Schmidt, a professor of computer science at Vanderbilt University said. “If you can attack someone through a trusted channel, it’s incredibly pervasive – it’s going to ricochet way beyond the wildest dreams of the perpetrator.”
The criminal cyberhacking group REvil is said to be behind the Kaseya attack, and seemingly originates from Eastern Europe or Russia as they primarily communicate in Russian online and their malware is designed to avoid Russian devices. It provides its ransomware as a service, and basically supplies tools needed for other groups to carry out attacks and then takes a cut of the profits. It executes its own attacks too, like Kaseya and the JSB attack last month where they demanded a sum of $11 million after putting the company to a halt until it was paid, along with Acer electronics. Since 2019 when REvil began their activities, experts have been tracking the group, and many other hacking groups appear to be created by people who were involved with REvil including the Darkside group that carried out the Colonial Pipeline attack. Russia has been urged by US officials to take action against the criminal groups operating within the country.
The CISA (US Cybersecurity and Infrastructure Security Agency), FBI and cybersecurity forensics are working with Kaseya to get to the bottom of the issue and to work out how to stop it. A compromise detection tool was released in June to around 900 of Kaseya’s customers who had requested it, and the tool can be used to detect if a customer’s VSA servers has been infected. The chief exec for Kaseya, Fred Voccola, has mentioned that he isn’t able to confirm if they are paying the ransom, or possibly negotiate for a lower cost, and said “No comment on anything to do with negotiating with terrorists in any way”. These types of attacks are becoming more complex and the hacking groups are becoming more comfortable with what they are doing, due to the fact they aren’t being caught. This means that they either end up receiving the ransom which encourages them to aim higher for bigger companies and for more money, or they are free to take over the companies as their malware and hacks are intricate and often very difficult to stop.
Secretary for the White House press, Jen Psaki, has said in a press conferences that Joe Biden will be meeting with officials from the departments of justice, state and homeland security to discuss ransomware and US efforts to help stop it.
"If the Russian government cannot or will not take action against criminal actors residing in Russia, we will take action, or reserve the right to take action, on our own," she said.
Keep up-to-date with the latest tech industry insights, trends as well as information technologies, app development, and small business content with the Proteams Blog
Follow us on LinkedIn for updates on the latest tech news here