Kaseya Ransomware Attack Hits 17 Countries Affecting “Thousands”

The ransomware attack that is being perpetrated by the REvil gang is now being called “the single biggest global ransomware attack on record,” with thousands of victims in at least 17 different countries breached with ransomware:

A broad array of businesses and public agencies were hit by the latest attack, apparently on all continents, including in financial services, travel and leisure and the public sector — though few large companies, the cybersecurity firm Sophos reported… The Swedish grocery chain Coop said most of its 800 stores would be closed for a second day Sunday because their cash register software supplier was crippled. A Swedish pharmacy chain, gas station chain, the state railway and public broadcaster SVT were also hit. In Germany, an unnamed IT services company told authorities several thousand of its customers were compromised, the news agency dpa reported…

CEO Fred Voccola of the breached software company, Kaseya, estimated the victim number in the low thousands, mostly small businesses like “dental practices, architecture firms, plastic surgery centers, libraries, things like that.” Voccola said in an interview that only between 50-60 of the company’s 37,000 customers were compromised. But 70% were managed service providers who use the company’s hacked VSA software to manage multiple customers. It automates the installation of software and security updates and manages backups and other vital tasks…

Dutch researchers said they alerted Miami-based Kaseya to the breach and said the criminals used a “zero day,” the industry term for a previously unknown security hole in software. Voccola would not confirm that or offer details of the breach — except to say that it was not phishing. “The level of sophistication here was extraordinary,” he said. When the cybersecurity firm Mandiant finishes its investigation, Voccola said he is confident it will show that the criminals didn’t just violate Kaseya code in breaking into his network but also exploited vulnerabilities in third-party software…

Kaseya, which called on customers Friday to shut down their VSA servers immediately, said Sunday it hoped to have a patch in the next few days.

This was bad over the weekend. It is now much worse.

This attack highlights the fact that hackers are ready and waiting to exploit lax security and unpatched vulnerabilities to devastating effect. It also shows the importance of securing not just your own organization, but your supply chain too. Organizations must closely examine their suppliers’ security protocols, and suppliers must hold themselves accountable, ensuring that their customers are defended from the ever-growing barrage of malicious attacks. Otherwise, you get this situation and the fallout related to it.

UPDATE: I got a comment from Max Heinemeyer, Director of Threat Hunting, Darktrace:  

The kind of attack launched against Kaseya this weekend is not new, but it is devastatingly effective. Like the campaign against SolarWinds last year, attackers compromised Kaseya software to initiate a supply chain attack by disguising malicious software (ransomware) as legitimate and implanting it onto endpoints / devices of potentially thousands of businesses.  

As news emerges that REvil are now demanding a total of $70 million in ransomware payment, we can expect the debate to once again focus on the question of whether ransom demands should be met or not. This is inevitable in the immediate aftermath but we must urgently turn our attention to how we stop attacks from evolving into crises and before ransom is demanded.  

These kinds of software supply chain attacks can spread like wildfire and are virtually impossible to detect with traditional security tools because the trusted, but compromised, supplier is already inside.  

The trickle-down effect of this attack will undoubtedly yield more victims than those currently named, and will even impact organizations that have no direct relationship with Kaseya. The broad-ranging impact these attacks have also means they are far more likely to be replicated.  

Our dependence on software is fast becoming a major security weakness. Organizations that are effectively building resilience against fast-moving supply chain attacks are those leveraging self-learning technologies to continually identify malicious activity – even if it originates outside the organization – and respond with proportionate, surgical action. 

One Response to “Kaseya Ransomware Attack Hits 17 Countries Affecting “Thousands””

  1. […] member of the group has been arrested and charged in relation to attacks against tech company Kaseya earlier this […]

Leave a Reply

%d bloggers like this: