By Staff Writer
Another ransomware attack over the weekend crippled businesses worldwide. The Kaseya attack is the latest in line of significant ransomware incidents. But in this attack, the hackers stand to make a record-breaking amount of money.
Kaseya is an information technology business based in Miami, Florida. On Friday, hackers targeted a Kaseya software product called VSA. The hacked software automates the installation of software and security updates, backups, and other tasks.
Kaseya’s CEO, Fred Voccola says up to 60 customers were directly impacted by the cyberattack. However, 70% of those directly impacted customers are managed service providers (MSPs) who supply IT tools to many more businesses. In addition, all of Kaseya’s estimated 36,000 customers were indirectly impacted after they were advised to take their servers offline on Friday.
“There may be larger clusters of victims based on use of common MSPs,” says Barry Hensley, Chief Threat Intelligence Officer at Secureworks.
While victims in 17 countries were identified, the attack had the biggest impact in the USA and Germany. An unidentified German IT service provider with several thousand customers was one of the 60 directly impacted Kaseya customers. In Sweden, grocery chain Coop, closed 800 stores over the weekend because Kaseya customer, Visma Esscom, provides software for their Coop’s registers.
“Kaseya’s VSA product has unfortunately been the victim of a sophisticated cyberattack,” says Kaseya in a statement. “We believe that this has been localized to a very small number of on-premises customers only.”
Fred Viccola has told US-based media Kaseya knows what happened and it has been remediated.
“The level of sophistication here was extraordinary,” he said of the zero-day attack. Viccola believes the hackers did not just enter Kaseya’s network and corrupt code, they exploited vulnerabilities in third-party software.
Multiple sources, including security firm Huntress Labs, say an affiliate of Russian gang REvil is behind the cyberattack. Huntress Labs says the scale of the ransom demands is unprecedented, with the attackers demanding between US$450,000 and $5,000,000 per impacted customer for decryptor keys.
“MSPs are a high-value target. If an MSP manages a company’s security, it’s once removed from the company itself, which can mean the actual company is less aware of what is happening. And, as an MSP, you have a ton of data from multiple customers – much of it mission critical, so the ransom payment request is high, as it is in this case,” says Ben Carr, CISO at information security company Qualys.
The Kaseya ransomware attack has caught the eye of the United States Government. President Jo Biden noted the incident on the weekend. He said there would be a determined response if the Kremlin was found to be involved. The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency in investigating and providing assistance to Kaseya and impacted customers.
Ben Carr argues these kinds of supply chain attacks need to be planned for and mitigated against. “While you can outsource the work, you can’t outsource the risk,” he says.