The REvil group is claiming that over 1 million devices have been infected and is demanding $70 million for a universal decryption key.
A ransomware attack against a single company’s software product is having a ripple effect across more than 1,000 organizations. On July 3, enterprise IT firm Kaseya revealed a successful cyberattack against its VSA product, a program used by Managed Service Providers (MSPs) to remotely monitor and administer IT services for customers.
SEE: Infographic: The 5 phases of a ransomware attack (TechRepublic)
At the time, Kaseya said that the incident affected only a very small number of on-premises customers. But the supply chain nature of Kaseya’s business means that far more companies have now been caught in the aftermath of the attack.
In a new blog post, security firm Huntress said that it’s been tracking around 30 MSPs around the world where the Kaseya VSA was exploited to encrypt data across more than 1,000 businesses. These numbers are up from Huntress’ initial report on July 3 noting that eight MSPs were impacted, affecting around 200 businesses with encrypted files. All of the VSA servers for the compromised MSPs are located on premises.
Kaseya’s estimates of impacted companies are even higher. In an update to its ongoing blog post, the company said that the attack affected fewer than 60 customers, all of whom were using the VSA on-premises product. With the ripple effect, the total impact has been felt among fewer than 1,500 downstream businesses, according to Kaseya.
“It shouldn’t surprise that extortionists would target critical IT software that could serve as the initial access into more victims’ networks,” said Rick Holland, chief information security officer and VP for strategy at risk protection provider Digital Shadows. “Managed Service Providers (MSPs) leverage Kaseya’s software, making them an attractive target because extortionists can quickly increase potential targets. In addition, companies that leverage MSPs are typically less mature small and medium-sized (SMBs) business, which usually have less mature security programs.”
As is often the case, the ransomware works by exploiting a security flaw in the VSA software. Specifically, the attack takes advantage of a zero-day vulnerability labeled CVE-2021–30116 with the payload delivered via a phony VSA update, according to Kevin Beaumont at cybersecurity news site Double Pulsar. Gaining administrator rights, the attack infects the systems of MSPs, which then infects the systems of customers.
“This attack highlights once more that hackers are ready and waiting to exploit lax security and unpatched vulnerabilities to devastating effect,” said Jack Chapman, Egress VP of threat intelligence. “It also shows the importance of securing not just your own organization, but your supply chain too. Organizations must closely examine their suppliers’ security protocols, and suppliers must hold themselves accountable, ensuring that their customers are defended from the ever-growing barrage of malicious attacks.”
The culprit behind the attack is REvil, the infamous ransomware group answerable to many other high level attacks. In its “Happy Blog,” the group took responsibility for the attack against Kaseya, claiming that more than 1 million systems were infected, according to security firm Sophos. REvil also dangled an intriguing offer for all victims of this ransomware attack. In exchange for $70 million worth of bitcoin, the group would publish a universal decryptor through with all affected companies would be able to recover their files.
In its response to the attack, Kaseya took several actions. The company said it immediately shut down its SaaS servers as a precaution although it had not gotten reports of compromise from any SaaS or hosted customers. It also notified its on-premises customers via email, in-product notices and phone, alerting them to shut down their VSA servers.
Further, Kaseya enlisted the aid of its internal incident response team as well as outside experts in forensic investigations to learn the root cause of the attack. Additionally, the company contacted law enforcement and government cybersecurity agencies, including the FBI and the Cybersecurity and Infrastructure Security Agency (CISA).
Kaseya, CISA and other parties have been quick to offer advice to potentially affected companies and customers.
First, organizations with on-premises VSA servers are urged to shut them down to avoid further compromise.
Second, organizations can download and run a Compromise Detection Tool, which analyzes a VSA server or managed endpoint to look for any indicators of compromise (IoC). The latest version of this tool also scans for data encryption and the REvil ransom note. As such, even companies that have already run the tool should run it again with this latest version.
Third, CISA and the FBI advised affected MSPs to enable and enforce multifactor authentication (MFA) on all accounts, enable allowlisting to limit communication with remote monitoring and management (RMM) features to known IP addresses, and set up administrative interfaces of RMM behind a VPN or a firewall.
Fourth, organizations should ensure that backups are up to date and stored in an accessible location air-gapped from the main network, adopt a manual patch management process that follows vendor guidance with new patches installed as soon as they’re available, and use the principle of least privilege access on key network administrator accounts.
Finally, affected and interested organizations should follow Kaseya’s helpdesk blog on the ransomware attack for daily updates.