Why the Kaseya VSA Ransomware attack is Important
The Kaseya VSA Ransomware attack made headlines over the Independence Day weekend. For non-technical readers, what happened here could be difficult to understand. This short blog will highlight specifically what is so scary about the situation.
This latest Ransomware event is sponsored by the dark web’s favorite bad guys, REvil – best known for their recently extorting $11 Million from global Meat Processing firm JBS. This latest attack is the biggest ever perpetrated, they are currently asking for $5M from each impacted business (estimated 800 - 1,500 uniquely impacted) or a payout in the amount of $70M to release all data from their clutches.
What is Kaseya VSA?
Kaseya is a Remote Monitoring and Management software that is used by IT Departments and Managed Service Providers to help manage desktops and servers. The software puts hooks into the Operating Systems so that patching can be updated, performance can be monitored, and applications can be distributed. Kaseya VSA agents are installed onto all machines and communicate with either a Cloud System or a locally installed Server. In this instance, the threat was specifically allocated to users delivered from locally installed servers.
How big is Kaseya?
Kaseya is (was) valued as a $2 Billion Dollar company before the attack. Their tools are widely adopted and are known to be a top-3 company within the Remote Monitoring and Management industry. It is believed that over 40,000 organizations across the globe have some sort of Kaseya software installed within their network. This attack was very specific and likely only impacted less than 1% of the installed base.
The Attack Explained
At some point last year, cyber criminals exploited an arbitrary file upload vulnerability with a SQL injection. Kaseya believes that an authentication bypass was used to gain access into the servers.
The servers were used by Managed Service Providers – all across the Globe. Managed Service Providers install Kasey RMM agents to mage systems effectively, but they were unaware that they were literally serving Malware to their clients. The MSPs and their Clients have now become compromised and are being held hostage for Ransom Payments.
The Cyber Criminals really know what they were doing and seemed to specifically target organizations that would not only be most susceptible, but also most likely to cough up the ransom. Before the attack was initiated, the cyber criminals used tools to map specific Kaseya partners and their clients and ran the threat against the ones the felt would be the most profitable.
What is Kaseya doing now:
Kaseya is taking the appropriate steps and is remaining transparent about the situation. This is good as it will allow everyone to take necessary steps to mitigate the threats. Kaseya’s leadership is continuing to provide updates here. So far, they isolating services by keeping them off and applying appropriate patches. They are providing the public with a detection tool and dictating best practices to mitigate.
What’s the worst that can happen?
Data coming out now is showing that the attack was designed to be propagated across 50 specific Managed Service Providers that were running the application off of an on-premise servers (as opposed to Kaseya’s Cloud service). Between 800 – 1500 businesses that contract these MSPs have been compromised.
If best practices were not properly deployed, then the only solution may be to pay the ransom. If back-ups were not destroyed/erased during the breach, then it is possible for data to be recovered without paying a ransom. This, of course, depends on how strong each businesses’ security poster was.
Best Ways to Mitigate Ransomware:
- Apply some sort of the principals of least privilege, limiting system access from internal users and the rest of the world.
- Use Multi-Factor Authentication.
- Run Daily Back-ups to an isolated back-up environment
- Run anti-Ransomware software alongside your Anti-Virus to encrypt your data from external threats.
- Routinely patch systems and even periodically (or proactively) scan the network for vulnerabilities.
Conclusion
Ransomware continues to be a huge threat to the Information Technology landscape. This attack has shown to be extremely creative and directed. Time will likely show that it was also quite effective (profitable) for the criminals.