Powered by SaaS Industry
At a Glance
REvil, a cybercriminal group, used flaws in Kaseya’s update system to target hundreds of businesses in a devastating ransomware attack. The ransom demand is the highest in recent memory, and if paid, it will be the most expensive ransom ever paid in response to a cyberattack. The attackers hit MSPs’ Kaseya infrastructure, then the MSPs inadvertently distributed malware to their clients by seeding their ransomware using Kaseya’s trusted distribution method.
REvil, a cybercriminal gang, attacked more than hundreds of businesses in a deadly ransomware attack using weaknesses in IT services software company Kaseya’s update mechanism. This attack is both ransomware and a supply-chain attack. Reports suggest that REvil could have Russian links.
This ransomware attack impacted at least hundreds, if not thousands, of enterprises worldwide, including a railway, a pharmaceutical network, and hundreds of Coop grocery store locations in Sweden.
Kaseya creates software for managing business networks and devices, which it then sells to other firms known as “managed service providers (MSPs).” Small and medium enterprises and any institution that does not wish to maintain its own IT infrastructure use MSPs.
Attackers infected MSPs’ Kaseya infrastructure and then watched the chain reaction as those MSPs unwittingly disseminated malware to their clients by seeding their ransomware via Kaseya’s trusted distribution method.
What’s interesting about this and concerning is that REvil used trusted applications in every instance to get access to targets. Usually, ransomware actors need multiple vulnerabilities at different stages to do that or time on the network to uncover administrator passwords. This is a step above what ransomware attacks usually look like.Sean Gallagher, a Sophos senior threat researcher
The timing of the attack was terrible because security experts had previously discovered the underlying weakness in the Kaseya update mechanism. The Dutch Institute for Vulnerability Disclosure‘s Wietse Boonstra collaborated with Kaseya to create and test fixes for the issue. The patches were almost ready to be released, but they hadn’t been implemented when REvil hit.
Kaseya CEO Fred Voccola issued a statement on Friday evening saying that the number of MSPs affected is expected to be less than 40, and the company is working on a fix to address the issue.
While our early indicators suggested that only a very small number of on-premises customers were affected, we took a conservative approach in shutting down the SaaS servers to ensure we protected our more than 36,000 customers to the best of our ability.Fred Voccola, CEO, Kaseya
Mr. Voccola added that the company’s SaaS clients were never in danger and that just a tiny fraction of our customers were affected.
Despite all this, Kaseya has been regularly giving updates regarding the attack and its actions to prevent further damage. The company said in a statement, “Our efforts have shifted from root cause analysis and mitigating the vulnerability to beginning the execution of our service recovery plan.”
The latest update is that the REvil gang has now made a blanket ransom demand on its renowned dark website, the Happy Blog. According to their post, the REvil gang, also known as Sodinokibi, has asked for a $70 million payment to unlock “more than a million systems.” The ransom demand came two days after the attack.
According to news reports, the ransom demand is the largest in recent memory, and if paid, it will be the enormous ransom ever paid in response to a cyberattack. The Kaseya ransomware attack is also one of the most significant known cyber attacks to date, and its scope is alarming in terms of the attack’s sophistication, scale, and the total cost that it may entail for businesses to recover and work around their encrypted data – even if the demanded ransom is not paid.