Kaseya Ransomware Attack: Hackers Demand USD 70 Million in One of the Largest Cyberattacks!

July 10, 2021

It goes without saying that cybercriminals are relentlessly burning the midnight oil to perpetuate their crimes.

Even before the news of the recent ransomware attacks that crippled a major gas pipeline and a meat processor in the US faded away, a new and much more severe assault has sent shock waves across the world.

This time the cybercriminals have zeroed in on a Miami-based IT software company Kaseya on July 2, 2021. The victimized organization provides tech management tools to IT outsourcing companies worldwide.

The cybercriminals are believed to be affiliated with the notorious REvil gang. They targeted Kaseya’s virtual systems/server administrator (VSA) software and exploited several vulnerabilities in it to execute a supply-chain attack. This software is used by many large companies and technology service providers for remote monitoring of their computer systems and automatically managing and distributing software updates.

REvil, best known for extorting USD 11 million ransom from the meat giant JBS, has demanded USD 70 million from Kaseya in exchange for a decryptor software key that would unscramble all affected systems.

“We are always ready to negotiate,” REvil told Reuters.

However, Kaseya CEO Fred Voccola refused to comment on it.

“I can’t comment ‘yes,’ ‘no,’ or ‘maybe,'” Voccola said when asked whether his company would make a deal with hackers. “No comment on anything to do with negotiating with terrorists in any way.”

Also Read: How small businesses can fend off cyber attacks

The Impact

Kaseya attack appears to be the world’s largest ransomware attack on record. Around 1500 companies in at least 17 countries have been directly affected by the attack. But many more companies, at least 37,000, were in hot water as Kaseya had to shut down its SaaS servers entirely. It also directed its on-premises customers to take their VSA servers offline and has not yet given the green signal to go back online, till date.

The tremors have been felt more keenly in Sweden, where a prominent supermarket chain closed most of its 800 stores because their cash registers were crippled. A Swedish gas station chain, pharmacy chain, and the state railway and public broadcaster SVT were also hit.

Likewise, many schools and kindergartens in New Zealand stalled their activities.

A German IT company and two major Dutch IT services companies, VelzArt and Hoppenbrouwer Techniek, were also among the affected parties.

“Around 50-60 of our 37,000 customers were directly compromised by this attack. But 70% of these customers are managed service providers who use the company’s hacked VSA software to manage multiple other companies. Thus, the total impact has been around 1,500 downstream customers,” Kaseya said.

“We’re not looking at massive critical infrastructure,” said CEO Voccola. “That’s not our business. We’re not running AT&T’s network or Verizon’s 911 system. Nothing like that.”

Also Read: Cyber Security Threats and Attacks: All You Need to Know

REvil’s Evil Strategy

Cybersecurity experts say that REvil strategically planned the attack during the ‘Fourth of July’ holiday weekend, knowing that the American companies would be lightly staffed. Many victims would not be aware of this development until they resume activities on Monday, giving ample time for hackers.

“This attack is a lot bigger than they expected, and it is getting a lot of attention. It is in REvil’s interest to end it quickly,” said Allan Liska, a cybersecurity analyst. “This is a nightmare to manage.”

How Kaseya Responded to the Attack

Upon learning of the attack on Friday, Kaseya has preemptively shut its SaaS servers and notified all its on-premises customers to immediately shut down their VSA servers.

Then the company engaged their internal response team and leading industry experts in forensic investigation to identify the indicators of compromise (IOCs).

Meanwhile, Kaseya also notified law enforcement and government cybersecurity agencies, including the FBI and CISA.

“Due to our teams’ fast response, we believe that the attack has been localized to a very small number of on-premises customers only,” the company said.

“We continue to engage with industry experts to assess the manner and impact of the attack and ensure that our R&D organization has properly identified and mitigated the vulnerability.”

“We are confident we understand the scope of the issue and are partnering with each client to do everything possible to remediate. We believe that there are zero related risks right now for any VSA client who is a SaaS customer or on-prem VSA customer who has their server off.”

By Saturday night, the company has rolled out a new ‘Compromise Detection Tool’ to almost 900 customers. This tool analyzes a system, either a VSA server or managed endpoint, and determines whether any IoCs are present.

Moreover, the company also developed a patch for on-premises customers, which is now going through the testing and validation process.

Also Read: How Businesses Can Implement ‘Zero Trust Security’?

Ransomware Attacks in the Spotlight

The ransomware attacks are fueling a global cybercrime spree, with many high-profile businesses falling prey every now and then.

The ransomware spree shot into the spotlight in May when an attack led to the shutdown of Colonial Pipeline’s entire network. Even before the dust was settled, meat operator JBS have fallen victim to REvil. And now Kaseya.

Cutting to the chase, the million-dollar question here is: Is your firm safe? The recent attacks reveal that no firm is immune to cyber threats. So, how can you protect your business from such cybercrimes?

Partnering with cybersecurity service providers like StealthLabs can help you stay one step ahead of your cyber adversaries. Join forces with us and secure your business for it is better to be safe than sorry.

More Articles: