Kaseya ransomware attack could affect 1000+ businesses worldwide

A ransomware attack on the software firm Kaseya could affect thousands of businesses and organizations worldwide. Security researchers are still assessing the damage, but analysts are already calling the Kaseya ransomware attack “colossal and devastating”.

In this article, we’ll tell you what happened, what we know so far, and how to learn more about the growing threat of ransomware.

What happened?

Last Friday, affiliates of the REvil ransomware gang hit software vendor Kaseya with a ransomware attack. Experts believe that the timing of the attack — just before the Fourth of July holiday weekend in the United States — was intentional.

Kaseya develops software for managing networks, systems, and IT infrastructure. Friday’s attack compromised the company’s “VSA” product. VSA is a cloud-based platform used to monitor and manage IT resources remotely.

Complicating matters is the fact that many Managed Service Providers (MSAs) use VSA. MSAs are companies that handle IT services for other companies. This means that the Kaseya ransomware attack has the potential to spread beyond immediately affected Kaseya customers to other companies further downstream. In other words, this is a classic example of a supply-chain attack.

Who is REvil?

REvil is a Ransomware as a Service (RaaS) gang. They provide “off-the-shelf” ransomware to bad actors, who deploy it on behalf of REvil in exchange for a percentage of the ransom payments. Security researchers believe that REvil operates from somewhere in Russia. However, it is important to note that REvil is a private criminal organization. They are not clearly linked to the Russian government as some APTs are.

RaaS products are often used by unskilled threat actors. But Kaseya says that last week’s attack showed signs of real sophistication. Unlike many ransomware incidents, they say that this one was not the result of some unfortunate employee clicking on a simple phishing email. Security researchers in The Netherlands appear to have confirmed this, reporting that the Kaseya ransomware attack exploited several 0-day vulnerabilities in VSA.

Impact of the Kaseya ransomware attack

We still don’t know exactly how many companies were impacted by the Kaseya ransomware attack.

The company’s VSA product has around 37,000 active users. However, Kaseya says that the attack only affected to “a small number” of their 6,500 on-premise VSA users.

Even so, since most of those users are MSPs, the total number of victims may be far larger. An early report from Reuters cited a figure of over 200 affected businesses. And security researchers at ESET say that their telemetry shows the attack spreading to multiple countries around the world.

Response

Kaseya responded to the attack by issuing an alert to its customers. The company advised anyone with an on-premise instance of the affected software to take their VSA servers offline. In addition, Kaseya temporarily took all cloud-based instances of VSA offline.

The company is now working to restore functionality to its users. According to media reports, Kaseya has contracted the cybersecurity firm FireEye to help them deal with the incident.

In the US, both the Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) are investigating the situation. U.S. President Joe Biden says that the United States will respond if the Russian government was involved in the attack. However, in remarks made to reporters on Saturday, he said “The initial thinking was it was not the Russian government”.

Learning More

Ransomware is a growing cybersecurity threat, affecting every industry and sector. Interested in learning more about ransomware, and about the background to this problem? Check out the following articles and Checklist podcast episodes:

Filed under Blog, Security News

Tags kaseya, malware, raas, ransomware, revil, vsa