Days back in Miami, a gigantic cyberattack hit one of the top purveyors of IT management solutions to thousands of enterprises and MSPs - Kaseya. The company fell victim to a ransomware attack by the REvil group which culminated in a massive supply chain attack potentially impacting thousands of enterprises.
From a $70 million ransom demand to delays in patch release by Kaseya, here are the top facts about the incident.
The affected and the unaffected
- Victims of the attack spanned from pharmacies to kindergartens across 17 countries, with businesses in the U.S., Germany, Canada, Australia, and the U.K taking major hits. According to Kaseya, 50–60 of its customers were impacted. The rest of the thousands were caught in the whirlwind.
- Uninfected Kaseya customers were not really immune to the domino effect. Over 36,000 MSPs were left without access to Kaseya‘s VSA product for at least four days while it worked on patch release.
A $20 million twist
- The REvil ransomware gang initially demanded $70 million to distribute a universal decryptor for all the victims.
- However, in a private conversation with Jack Cable of the cybersecurity-focused Krebs Stamos Group, hackers lowered their demand to $50 million.
- Experts opine that some companies can recover on their own, which can further bring down the ransom demand.
- Moreover, hackers also turned to individual firms impacted in the attack and asked for $45,000–$5 million in ransom.
Before sorting it out
- On July 6, the CISA and FBI released guidance for the victims of the supply chain attack and shared tips on how to mitigate the impacts of the threats.
- Authorities also urged victims and their clients to refer to the Kaseya VSA detection tool that helps analyze a system and rummage for IOCs. It also enables and enforces MFA on each account of an organization.
A missed patching opportunity
- Victor Gevers, chairman of the Dutch Institute for Vulnerability Disclosure, claimed that the firm informed Kaseya about a serious cybersecurity hole, which was used in the recent supply chain attack, on April 6.
- The researcher, reportedly, discovered seven vulnerabilities affecting on-premises VSA with six of them concerning the SaaS version of VSA.
Finally the patch!
- A cybercriminal group was spotted disguising a spam campaign as Kaseya VSA security updates in an attempt to target and infect the victims of the ransomware attack.
- The next day Kaseya issued an alert to warn customers about the phishing campaign.
- On Sunday, Kaseya released the long-awaited patch for its on-premises versions of VSA remote monitoring and management software.
Closing thoughts
While it may seem like a straightforward matter to some, the dilemma of whether to pay or not to pay ransomware operators has kept experts puzzled for years. Recently, Colonial Pipeline paid $4.3 million to DarkSide and JBS shelled out $11 million to REvil in June. While Kaseya and other victim firms go past this nightmare and their operations return to normal without having to pay ransoms, let’s hope for law enforcement to make some strides to dismantle malicious operations, one by one.
Publisher
/https://cyware-ent.s3.amazonaws.com/image_bank/5b64_shutterstock_1518513968.jpg)
/https://cyware-ent.s3.amazonaws.com/image_bank/2bc3_shutterstock_89996.jpg)
