Businesses and governments around the world are scrambling to understand the major ransomware attack that strategically hit over the Independence Day long weekend, which has affected more than 1,500 companies. In recent months, cybercriminals have increasingly targeted organizations that play critical roles across a broad array of the US economy. Kaseya, a multimillion-dollar tech company, has been making recent headlines as the latest victim. In the midst of the disruption, Kaseya released a warning that spammers are using the news about the incident to send out fake email notifications that appear to be Kaseya updates. These are phishing emails that may contain malicious links and/or attachments. Do not click on any links or download any attachments claiming to be a Kaseya advisory. Moving forward, Kaseya email updates will not contain any links or attachments. Spammers may also be making phone calls claiming to be a Kaseya Partner reaching out to help. Kaseya IS NOT having any partners reach out – DO NOT respond to any phone calls claiming to be a Kaseya partner.
What is Kaseya?
Kaseya provides IT solutions including VSA, a unified remote-monitoring and management tool for handling networks and endpoints. In addition, the company provides compliance systems, service desks, and a professional services automation platform. The firm's software is designed with enterprises and managed services providers (MSPs) in mind, and Kaseya says that over 40,000 organizations worldwide use at least one Kaseya software solution. As a provider of technology to MSPs, which serve other companies, Kaseya is central to a wider software supply chain.
What happened?
On Friday July 2nd, around 2:00 PM EST, Kaseya was alerted to a potential attack involving a remote management software called VSA. Within an hour, Kaseya promptly shut down access to that software in an effort to stem the attack's spread. CEO, Fred Voccola, took extra caution and urged clients to immediately shut down their VSA servers. As Kaseya's Incident Response team investigated, the vendor also decided to proactively shut down its SaaS servers and pull its data centers offline. By Saturday, U.S. officials said they were tracking the attack. In effort to be transparent with their customers, Kaseya released an overview of the attack and explained that the attackers were able to exploit zero-day vulnerabilities in the VSA product to bypass authentication and run arbitrary command execution. This allowed the attackers to leverage the standard VSA product functionality to deploy ransomware to endpoints. There is no evidence that Kaseya’s VSA codebase has been maliciously modified. Experts say it's not the number of victims that's keeping them up at night – the gang used a level of planning and sophistication closer to high-level, government-backed hackers, rather than a mere criminal operation.
What is ransomware and who was behind it?
Ransomware is a type of malware that specializes in the encryption of files and drives. In what has become one of the most severe and serious security problems modern businesses now face, ransomware is used by threat actors worldwide to hijack systems and disrupt operations. Once a victim's system or network has been encrypted, cyber criminals will place a ransom note on the system, demanding payment in return for a decryption key.
The hackers behind the Kaseya incident? – The Russian-speaking ransomware gang REvil. REvil, likely best known for hacking JBS, one of the world's largest international meat suppliers, has been active since at least early 2019. Like a number of other gangs operating on Russian territory, REvil has made a fortune in recent years by hacking individual organizations, locking their computers, stealing their files, and demanding a payment to fix things and not leak what they stole. REvil said that they would be willing to provide a universal decryptor for victims of the attack, but under the condition that they be paid $70,000,000 worth of BitCoin.
Strategic timing
It's not surprising that the attack hit just ahead of a major holiday weekend. Experts say holidays and long weekends are the best times for hackers to execute ransomware attacks because it gives them more time to encrypt files and devices before anyone has a chance to notice and respond. Executing the attack during the Independence Day long weekend was a strategic intentional move.
U.S. government intervention
On Saturday, CNN reported that President Joe Biden met with the intelligence community, discussing ways to stop the hackers. On Tuesday he seemed optimistic, expressing that damage to U.S. businesses in the biggest ransomware attack on record appears minimal, though information remains incomplete. White House spokeswoman Jen Psaki held out the prospect of retaliatory action. What Biden told President Vladimir Putin in Geneva last month still holds, she said: “If the Russian government cannot or will not take action against criminal actors residing in Russia, we will take action or reserve the right to take action on our own.” The White House has urged companies who believe their systems were compromised by the attack to immediately report it to the Internet Crime Complaint Center.
Next steps
Lloyd is taking the situation very seriously and remaining proactive while Kaseya remains down. Lloyd Group is still able to monitor the health of our clients leveraging our managed backup services and managed endpoint services.
We have also started expanding our advanced monitoring system powered by Logic Monitor. We have started to deploy this to clients and will continue/finish the deployment today so that monitoring is set up for your on-premises or cloud servers and devices for which we have access. This is independent of Kaseya and will give a backup for the Kaseya Monitoring.
Kaseya announced that all on-premises VSA Servers should continue to remain offline until further instructions about when it is safe to restore operations. A patch will be required to be installed prior to restarting the VSA. Kaseya stated that there will be new security measures implemented including enhanced security monitoring of their SaaS servers by FireEye and enablement of enhanced WAF capabilities. They have successfully completed an external Vulnerability Scan, checked their SaaS Databases for Indicators of Compromise, and have had external security experts review their code to ensure a successful service restart. As of July 8, Kaseya has published two run books, "VSA SaaS Startup Guide," and "On Premises VSA Startup Readiness Guide," to assist clients in preparing for a return to service and patch deployment