A ransomware attack on IT vendor Kaseya has seen up to 1,500 customers left with encrypted files, the company said last night. Notorious ransomware gang REvil is thought to be behind the breach, with the hackers exploiting a vulnerability in software used by managed service providers (MSPs) that provide IT services to small businesses. The success of the attack might encourage criminal gangs to take on bigger targets, experts have warned.
The attack was launched late last Friday to coincide with the 4th of July bank holiday weekend in the US. Kaseya, which manages various IT services on behalf of its clients, said in its latest update that up to 60 of its customers were “directly compromised by this attack”, with up to 1,500 companies in their supply chain also hit.
Consequences of the attack have been felt globally, with 800 stores belonging to Swedish grocery chain Coop having to shut down over the weekend because its systems were offline. US president Joe Biden has reportedly ordered a full investigation into the incident. Kaseya has advised companies running their services on-premise to shut down systems until further notice, and has taken its SaaS platform offline as a precaution.
Kaseya ransomware attack: how it happened
A zero day vulnerability was used to breach on-premises Kaseya VSA servers. According to Kaseya, the vulnerability was in the process of being fixed last week, just as the REvil ransomware gang exploited it to perform the attack.
Kaseya’s VSA allows users to remotely manage IT systems for their clients. As many of Kaseya’s customers supply IT services to third-party companies, it is thought up to 1,500 businesses were affected by the attack. This type of breach is known as a supply chain attack and is the same sort of attack used in the high-profile SolarWinds breach. “The VSA is utilised by [Kaseya’s] customers to deliver infrastructure management to the end-user customers” explains Rajesh Muru, principle analyst in cybersecurity at GlobalData. “[The hackers] have picked up on a vulnerability in a software product, and that software product is then being sold on to other IT companies, who deliver it to end-users.”
REvil affiliates have reportedly been in contact with affected businesses, offering single decryption keys in exchange for $45,000 paid in the cryptocurrency Monero. Considering the number of businesses involved, collecting these individual ransoms would be a mammoth task, which is perhaps why the gang is also offering a universal decryptor available to any interested parties for a price of $70m (though it has been suggested this price tag has already been reduced to $50m).
“I think the fact that they’ve issued that single ransom probably reflects that they’ve bitten off more than they can chew in terms of going after this number of victims,” says Jamie MacColl, research analyst in cyber threats and security at UK think tank the Royal United Services Institute. “Trying to negotiate with potentially a thousand victims, or however many it ends up being, is probably beyond their capacity.”
What does this mean for the future?
Small businesses are most likely to be affected by attacks targeting MSPs, explains MacColl. “MSPs primarily provide a service to SMEs because most big corporations are going to have their own in-house IT staff and IT infrastructure,” he says.
However, global companies that outsource key elements of their software infrastructure should see this as a stark warning, Muru argues. “All of the large IT services providers, such as Capgemini or IBM, have outsourcing services offering tools to large corporations,” he says. The scale at which these tools are used means any successful attack could have serious consequences. Muru says gangs may try and target this type of infrastructure in the hope of securing more lucrative ransoms. “It will be interesting to see, from a ransomware perspective, if there are going to be any groups that implement this type of attack but on a much larger scale,” he says.
What to do if you have been attacked
Kaseya itself, as well as US government cybersecurity agency CISA and the FBI, have released advice on what to do if a system has been infiltrated. These guidelines include shutting down VSA servers immediately and reporting the breach to the FBI’s cybersecurity division. Kaseya has also released a tool that can detect if any part of a system has been affected by REvil ransomware, which can be accessed here.