Kaseya Ransomware Attack: How It Happened and What You Need to Know

What is Kaseya?

Kaseya is a leading enterprise IT firm specialising in software development for managing networks, systems, and IT infrastructure, including its flagship product, Kaseya Virtual System Administrator (VSA). VSA is a powerful remote monitoring and management software designed to provide security solutions to customers globally. It is primarily used by Managed Service Providers (MSPs) to manage their customers' IT infrastructure remotely.

What happened in the ransomware incident?

On the 2nd of July 2021, Kaseya was informed that customers experienced unusual behaviour on endpoints managed by the Kaseya VSA server, and several machines were subject to a ransomware attack. The indication was that Threat Actors had been able to exploit a zero-day vulnerability on the customer-run on-premises servers. This means that the vulnerability had not previously been seen, although, since the incident, there are reports that this vulnerability had been reported several years earlier.

The REvil group claimed responsibility for the incident and demanded $70 million in Bitcoin cryptocurrency in exchange for a universal decryptor. The Kaseya attack is reminiscent of the SolarWinds attack, in which the malicious threat actor launched remote code executions, leading to the launch of ransomware endpoint machines. Data at many organisations was left encrypted, and no one could access it. According to Kaseya, around 60 organisations were affected, although the downstream impact was much more extensive as MSPs manage many organisations' IT infrastructure. To mitigate the risks and assist affected customers, Kaseya issued a security advisory urging all its customers to immediately shut down their VSA servers.

What is a Supply Chain Attack?

A supply chain attack attacks a service provider when updates bundled with ransomware are sent to customers, leaving them vulnerable. Rather than directly infiltrating an organisation, a supply chain attacker exploits a third party's trusted access. The attacker thus gains hold of an environment rather than just one company.

It is worth mentioning that there is mixed opinion about whether the Kaseya incident was a supply-chain attack. Much information suggests that it involved a vulnerability in VSA servers that attackers exploited.

The attackers used code injection into Kaseya's updates that were pushed out to its clients, resulting in the compromise. This was different as there was an unknown vulnerability in the servers already running in the client environment that was exploited. This leaves them vulnerable to executing malicious processes and renders them with many devices encrypted with large amounts of data unavailable.

What is the impact of these attacks?

The Kaseya incident caused widespread damage to clients who considered their cybersecurity a priority. The incident compromised servers, resulting in compromised endpoint machines managed by those servers. Many victims were affected through little or no fault of their own.

What could Kaseya have done to reduce the impact?

Many articles are available on this matter, including articles from cybersecurity journalist Brian Krebs that indicate that Kaseya was made aware of the vulnerability in 2015. There are several measures that Kaseya could have taken to reduce the impact of the incident:

Patching the vulnerability: If Kaseya had identified and patched the vulnerability, the attackers would not have been able to exploit it to gain access to customer systems.

Timely communication: Kaseya could have communicated the incident to its customers promptly and transparently. This would have allowed them to take necessary measures to secure their systems and data.

Regular backups: Kaseya could have reduced the impact of the incident by encouraging its customers to maintain regular backups of their data. This would have enabled affected customers to restore their data from backups rather than paying the ransom.

Security awareness training: Kaseya could have provided security awareness training to its customers to educate them on the importance of cybersecurity best practices such as strong passwords, regular software updates, and suspicious email detection.

Incident response planning: Kaseya could have had a comprehensive incident response plan to help them respond quickly and effectively to security incidents, minimizing the impact on their customers and their business.

Exploiting a Zero-Day Vulnerability

A zero-day exploit is simply one that has never been seen or reported before. Normally, when a vulnerability is identified, it is publicly registered, given a Common Vulnerabilities and Exposures number (CVE), and patched to remove it. In the Kaseya incident, it was reported that the vulnerability had not been seen before and existed in the on-premises servers.

REvil: Leading "Ransomware-as-a-Service" Providers

There is little known about REvil as it is a criminal organisation that maintains its anonymity for obvious reasons. However, they are believed to be based in Russia because they do not actively target victims in Russia.

REvil provides ransomware as a service, which means that rather than spending all their time launching attacks, they lease out their expertise and infrastructure to other criminals. This gives even those without technical ability a means to profit from ransomware. In return, REvil takes a dividend of the paid ransom.

What is RaaS, and how does it work?

Ransomware as a service (RaaS) is adopting the software-as-a-service design. Still, criminal groups can rent attack tools over the dark web, facilitating the developer who created the tool to receive a dividend or a 'fixed subscription cost', normally around 20-30% of the ransom. The first known ransomware as a service was Stampado, a ransomware rental with lifetime access for $39 on the dark web.

While ransomware initially involved encrypting the victim's data and demanding a ransom, companies got smarter and created backups. Thus, companies could restore their data on their own. However, attackers aced their game and introduced double ransomware, in which threat actors could download the data, encrypt the client's data, and threaten to expose it if the ransom was not paid.

However, times have changed, and a triple extortion model has emerged. Attackers download and encrypt the data, threatening to expose it if the ransom is unpaid. They demand that the victim pay the ransom, or they will release the information or sell it on the dark web.

Suppose a global security solution provider can fall victim to a ransomware incident. In that case, it is likely to be a case of when, and not if, your organisation will be a victim of a cyber incident.

Do I need to be worried?

Research shows that this vulnerability was only present on Kaseya VSA on-premises servers. Therefore, if you are not a Kaseya VSA user and do not have an on-prem VSA server, then there is no cause for concern.

But this is a wake-up call to take cybersecurity extremely seriously and to remember that it is likely to be a case of when, not if, your organisation will be a victim of a cyber incident.

What does IntelliSecure recommend?

It is strongly advised not to pay a ransom in the event of a ransomware attack. However, this can be a contentious issue and may depend significantly on the circumstances surrounding the attack. Seeking professional assistance is highly recommended if you are affected by ransomware. Even if you can decrypt your data, identifying the root cause of the attack and closing the attack vector is critical to preventing future incidents attacks.

At IntelliSecure, we are experts in investigating ransomware incidents and conducting thorough forensic analyses to determine the root cause of the attack. Our experienced CIRT team works closely with our clients to contain and eradicate the threat actor. If you are experiencing a similar issue or want to discuss your Incident Response plan, please get in touch with us directly.

What is the intelligent way to reduce the risk or prevent this from happening to your business?

There are several pragmatic ways to reduce the risk of a ransomware attack or prevent it from happening to your business:

• Utilise reputable anti-virus software and keep it updated. Activate the auto-update feature to protect you against the latest threats.

• Update your software regularly and address vulnerabilities. Cybercriminals frequently exploit outdated software to gain access to your system, so it is crucial to keep your software up to date and resolve any known vulnerabilities.

• Employ robust passwords and apply Multi-Factor Authentication (MFA) on all accounts. Weak passwords can be easily compromised, and MFA adds an extra layer of security to deter unauthorised access.

• Ensure you back up your data regularly, including the operating system, applications, and files. Adhere to the 3-2-1 backup rule: maintain three copies of your data, with two backups and one production version. Store one of these backups off-site, such as in the cloud.

Alongside these preventive measures, an incident response plan is vital. Use a professional incident response team like IntelliResponse. They can offer you the necessary support should an attack occur and assist you in containing the attack, identifying the root cause, and eliminating the threat actor. Training your employees in good cyber hygiene practices and updating them about the latest threats is also essential. By taking these steps, you can significantly minimise the risk of a ransomware attack and protect your business from potential harm.