Why Does it Matter?:
For most, this attack marks a substantial increase in the requested payment for ransom, at $70 million. Even if Kaseya does not pay, this is evidence that future ransoms may increase exponentially.
(For TeamWorx:) Kaseya is a company relatable to TeamWorx or FireEye, in terms of developing SaaS, and whose infection could swiftly trickle down the supply chain from partners/vendors to partner’s clients. The threat of an attack similar to what happened to Kaseya is within the realm of possibility for a company like TeamWorx.
On July 2, 2021, Kaseya was alerted to suspicious activity regarding their VSA service. They immediately shut down the service, impacting their vendor’s clients’ businesses. The ransomware affected approximately 50 of Kaseya’s direct clients, who then provide IT services to approximately 800 – 1,500 small businesses around the world (although, an unknown private investigation estimates over 2,000 businesses affected).
- CVE-2021-30116: the specific, zero-day vulnerability exploited in this attack. Details are not currently publicized.
- Ransomware: an attack in which infected devices have data encrypted and scheduled for destruction, with a key known only to the attackers.
- Supply Chain: attacking parties in a hierarchy to infect downstream groups, like a domino effect.
There are several categories of victims in this case. The small businesses receiving IT services from Kaseya’s 50 infected clients have been hurt the most because they: 1. Lost time to do their respective business while the service was down; and 2. Surely have no way to pay the $70 million ransom. Kaseya’s 50 direct customers have been affected by the inability to act for their clients, possibly hurting their reputation to acquire new clients. Kaseya was affected by being forced to take responsibility, choosing whether to pay, and possibly hurting their reputation to acquire new customers as well.
The criminal group, REvil took responsibility for the attack. The same group is responsible for the JBS attack last month and provides Ransomware as a service.
What Has Been Done:
Kaseya stopped their infected service immediately to prevent further spread of the devices affected. They promptly contacted Homeland Security and the FBI. Kaseya then provided scanning and patching tools to all of their customers and delivered frequent updates.
If it Were Me:
Ransomware is an attack that should just be paid and represents a major function of cyber insurance. Kaseya has addressed the situation well, in my opinion. I do not believe I would do anything differently.
CVE-2021-30116. Mitre. July 2021. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-30116.
Duffy, Clare. “A massive ransomware attack hit hundreds of businesses. Here’s what we know.” CNN Business. 7 July 2021, 12:20. https://edition.cnn.com/2021/07/06/tech/kaseya-ransomware-what-we-know/index.html.
Goodin, Dan. “Up to 1,500 businesses infected in one of the worst ransomware attacks ever.” ARS Technica. 6 July 2021, 16:48. https://arstechnica.com/gadgets/2021/07/up-to-1500-businesses-infected-in-one-of-the-worst-ransomware-attacks-ever/.
Moyer, Edward. “Ransomware attack on Kaseya, a software firm, threatens businesses worldwide.” CNet Tech. 4 July, 16:06. https://www.cnet.com/tech/services-and-software/ransomware-attack-on-kaseya-a-software-firm-threatens-businesses-worldwide/.
Paul, Kari. “Who’s behind the Kaseya ransomware attack – and why is it so dangerous?.” The Guardian. 7 July 2021, 1:00. https://www.theguardian.com/technology/2021/jul/06/kaseya-ransomware-attack-explained-russia-hackers.
“Updates Regarding VSA Security Incident.” Kaseya. 8 July 2021, 13:30. https://www.kaseya.com/potential-attack-on-kaseya-vsa/.