On the onset of July Fourth, bad cyber actors infiltrated Kaseya, a Florida-based IT firm's systems, and successfully launched a scathing ransomware attack. They managed to encrypt and seize tons of data and demanded $70 million for its release.
The hack, which CBC News calls "the biggest ransomware attack on record," is just the latest in a series of several recent ransomware incidents. It confirms that ransomware is here to stay and is getting worse by the day. In this article, we give you an account of how the Kaseya ransomware attack happened and steps to keep your organization safe.
How Did the Kaseya Ransomware Attack Happen?
On July 3rd, Kaseya released a compromised QFE update and propagated it using its VSA servers. The hotfix was infected by the Sodinokibi ransomware payload, and every client who downloaded it had their servers and shared folders immediately encrypted and compromised.
The cyberattackers were very deliberate in targeting Kaseya VSA, a remote network management software used by MSPs and cybersecurity vendors to manage hundreds of client systems. First, this gave them a chance to infiltrate networks of hundreds of businesses. And two, VSA has broad access and performs several tasks, making it a perfect backdoor that's challenging to monitor.
The attack has a lot in common with the infamous SolarWinds supply chain attack. They both compromised updates through vulnerable, internet-facing servers to target several organizations at once. However, unlike in the SolarWinds hack, there's no indication whatsoever that the hackers compromised Kaseya's infrastructure. Also, the Kaseya attack is financially motivated, unlike the SolarWinds hack, which was straightforward espionage, so there's no telling the extremes to which the attackers can go in pursuit of ransom.
Who is Responsible?
REvil, one of the world's most notorious ransomware gangs, claimed responsibility for the attack. They went ahead and demanded up to $70 million as ransom. Some of the victims are currently actively negotiating with the hacker group.
According to REvil, they have infiltrated and gained control of more than a million networks. However, as of July 6th, Bleeping Computer reported that the attack affected about 60 of Kaseya's direct clients, compromising systems of between 800 to 1500 organizations downstream. By any standards, these figures are massive, placing the hack on the list of the worst ransomware attacks of 2021 so far.
Should You Be Worried About The Kaseya Ransomware Attack?
Unless you are a Kaseya client, either directly or indirectly through an MSP, there's no need for alarm. However, the attack will undoubtedly have cybersecurity experts worried.
The hackers used high-level planning and sophisticated execution that bears the strains of a government-sponsored hacker group. They adopted two new tactics that bad cyber actors have never used anywhere around the world. The worst bit is that even deployed a zero-day, a software vulnerability that developers haven't noticed and therefore don't know how to fix.
Although REvil, best known for its attack on JBS, has been active since 2019, they have only been attacking single organizations. Therefore, its weekend supply chain hack caught cybersecurity experts by surprise. The hacker group did not target one organization or a single IT support company; it went after a software company with thousands of customers.
So far, the most significant casualties are 11 schools in New Zealand, a Swedish store that was forced to a standstill for more than 24 hours, and a few smaller U.S businesses.
How to Safeguard Your Organization Against Ransomware Attacks
The first step is to assume that you are always the next target—nobody is safe. Consider implementing the following safety protocols:
- Install automated threat detection systems: Sometimes, ransomware attackers camp in target networks for weeks, and even months, before launching an attack. With an effective threat detection system, you can pinpoint foreign patterns in your networks and thwart threats before they aggravate into serious issues.
- Adopt multi-factor authentication: As more employees are operating remotely and carrying office gadgets home, organizations face the challenge of ensuring that these devices and logins don't land in the wrong hands. That's why you need MFA; so that even if hackers steal user credentials or gadgets, they won't be able to access your network easily. You can use MFA together with Single Sign-on to enable admins to remotely lock and wipe memories of gadgets when they get lost.
- Install software updates in phases: As you must have noticed, hackers increasingly use software updates as backdoors to company networks. To avoid falling for this trap, only install updates to a few users in the IT department and scan them for threats before deployment to the entire organization.
- Back up all your data: Ransomware attackers feed on the confusion and uncertainty caused by hacks to coax businesses into paying ransoms. However, with a secure and easy-to-retrieve offline backup, you can easily resume regular operations and negotiate with the hackers on your terms.
- Train your employees on ransomware preparedness: Your networks are vulnerable if employees aren't properly trained even with the most advanced cybersecurity systems in place. Regularly train your users on how to identify threats, how to prevent attacks, and fast-response procedures. You can also occasionally launch simulated attacks to gauge their preparedness levels.
LeadingIT offers 24/7, all-inclusive, fast, and friendly technology and cybersecurity support for nonprofits, manufacturers, schools, accounting firms, religious organizations, government, and law offices with 10-200 employees across the Chicagoland area.