On July 2, 2021, the IT solutions provider Kaseya announced that it had become the victim of a massive ransomware attack. The Kaseya attack ultimately affected thousands of businesses around the world that use Kaseya’s software solutions and promises to change how we deal with similar cyberattacks in the future.
Understanding the Attack
What exactly was the Kaseya ransomware attack – and how did it affect so many different businesses? Some background is in order.
What is Kaseya?
Kaseya is a privately-held software company based in Dublin, Ireland. It has a presence in ten different countries, including U.S. headquarters in Miami, Florida. The company employs about 1,300 people and generates around $360 million in annual revenue.
The company provides various software tools for use by managed service providers (MSPs) and other enterprises. One of its most popular tools is VSA, which automated remote monitoring and management tasks for networks and endpoints. It’s estimated that Kaseya’s software is used by more than 40,000 organizations worldwide, although its MSP tools influence an even larger global software supply chain.
How Did the Attack Happen?
The FBI, in an official notice, described what happened as a “supply chain ransomware attack” that leveraged a vulnerability in Kaseya’s KSA software. The attack was targeted at multiple MSPs and their many customers.
The attack appeared to exploit a zero-day vulnerability to trigger an authentication bypass vulnerability in the VSA software’s web interface. This enabled the attackers to evade the software’s normal authentication controls and open an authenticated session. They then uploaded a malicious payload – a fake management agent update dubbed “Kaseya VSA Agent Hot-fix” – and pushed it to multiple MSP client systems.
This ransomware then encrypted the files of hundreds of businesses. And the attackers, believed to be the Russian-based REvil criminal group, issued their ransomware demands – a total of $70 million in Bitcoin to restore the encrypted data at all affected businesses.
Who Was Affected?
Kaseya officials believe that the attack has affected 30 MSPs and somewhere between 800 and 1,500 businesses worldwide. Many of the companies affected are small firms, although the attack completely shut down the Swedish Coop supermarket chain by crashing all their cash registers.
How the Kaseya Ransomware Attack Changes Everything
While the situation is still evolving, it is likely that the Kaseya ransomware attack will have a major impact on cybersecurity going forward. It was, in many ways, a remarkably revolutionary attack.
MSP Supply Chain Attacks
One of the significant aspects of the Kaseya attack is that the perpetrators fed their ransomware to multiple MSPs. This affected the tech supply chain, enabling the attackers to infiltrate literally thousands of independent systems downstream. It’s an incredibly efficient way to attack large numbers of victims with a single infiltration.
Note that while Kaseya is not the first ransomware attack on managed service providers, it is the largest by far. For example, in 2019 ransomware distributed via MSPs crippled the networks of 22 cities in Texas. Another MSP-based attack that same year hit 400 dental offices in the U.S.
More Sophisticated Attacks
Another major factor in the Kaseya attack was its technical sophistication. The technology and techniques behind the attack were not trivial – the attack took time, skill, and resources to pull off.
Experts say that the Kaseya incident is the first ransomware attack to exploit a zero-day vulnerability. Zero-day attacks are more typically used by nation-states engaging in cyberespionage to steal state secrets. It’s the first time such attack technology has been used by financially motivated cybercriminals.
Pulling off a zero-day attack takes time, money, and resources – something cybercriminals haven’t had to date. The fact that an attack of this magnitude was carried out by a criminal group indicates that ransomware attacks are getting lucrative enough to warrant the efforts expended. The profits generated by previous attacks were used to finance the larger, more complex Kaseya attack – which, in turn, is likely to generate even more money for the cybercriminals.
Going Forward: More Sophisticated Attacks Require More Sophisticated Cybersecurity Measures
As ransomware attacks from REvil and other criminal groups become more sophisticated, companies need to similarly step up their cybersecurity protections. This is especially true for managed service providers, where a single security breach can affect hundreds, if not thousands of their client systems.
To that end, the CISA and FBI have offered the following guidance to mitigate future ransomware attacks:
- Implement multi-factor authentication on all accounts and customer-facing services
- Limit communication with remote monitoring and management (RMM) services
- Place RMM administration behind a VPN or firewall
- Make sure all backups are up-to-date and stored in an air-gapped location
- Disable automatic software patches in favor of manual patch management
- Implement least privilege access for key network resources
The Kaseya ransomware attack has demonstrated that large-scale sophisticated attacks, especially those focusing on MSPs, are the new normal. Companies and organizations have to take action now – including adopting a secure communications platform with end-to-end encryption, such as that offered by Wickr – to protect against the next round of such cyberattacks.