On Friday, July 2, 2021, before the American Fourth of July long weekend, affiliates of the REvil RaaS (Ransomware-as-a-Service) threat actors executed a supply-chain attack through Kaseya’s remote IT management software, specifically affecting its Virtual System Administrator (VSA).
Kaseya, a software platform designed to help manage IT services remotely, and its affiliated partner researchers, were aware of the exploit and were working on a patch when the REvil ransomware was launched. In a sprint between threat actors and security experts, the bad guys won out before a patch could be implemented.
The attack affected hundreds and likely thousands of businesses globally with the REvil ransomware demanding USD 70 Million in Bitcoin to restore the encrypted data being held captive.
The timing was not coincidental as major cyber attacks similar to this one are carefully coordinated to commence around major holidays with threat actors anticipating slower response times and a generally sparse IT staff during the attack.
Kaseya released a statement noting that they immediately disconnected their servers and have maintained communication with all of their 36,000+ clients about the incident. Their actions allowed them to contain their breach to less than 60 clients; however, of those that were affected, more than 30 were MSPs which in turn have thousands of their own clients who could be affected.
Who was affected?
The far-reaching impacts of the attack are still being pieced together as thousands of companies globally were targeted. Some larger retailers like Swedish Coop supermarkets needed to shut down hundreds of stores as their checkout cash register system was taken offline.
CISA and the FBI have released Guidance for MSPs and their customers affected by the Kaseya VSA Supply-Chain Ransomware Attack and encouraged all affected organisations to "follow Kaseya's guidance to shut down VSA servers immediately." Kaseya has also been posting regular updates as to their diligent resolution of this vicious attack.
The Kaseya ransomware attack further highlights the vulnerabilities and potentially catastrophic disruptions that all organisations can be susceptible to, with cyber threat actors growing bolder and more sophisticated at an immeasurable pace. With the increasing level of danger in the cyber world, it’s more important than ever to solidify your organisation’s posture and preparedness against the rising cyber threat.
What can be done to protect your organisation from future cyber threats?
The best time to create an Incident Response Plan to combat a cyber attack is before an attack occurs. To that end, Blackpanda recommends a regular Compromise Assessment that sweeps your internal network and endpoints to ensure it is free of threat actors, signs of compromise, and malware. To find out more about Blackpanda Compromise Assessments, reach out to us via our website or email us at email@example.com.
IR1: The most effective cyber risk management solution for SMEs in Asia
Waiting for an attack to happen before you contact a cyber incident response team can cost precious time and a high hourly fee, which is why pre-purchasing a retained solution is the best way to optimise response time and minimise costs.
Blackpanda’s IR-1 subscription is the most effective solution for small and medium enterprises in Asia Pacific facing limited resources and knowledge in managing cyber breaches. IR-1 aims to help them manage cyber breaches and mitigate their impact by offering a 12-month subscription plan that includes 24/7 incident response availability, one incident response activation credit, discounted rates for Blackpanda services, and unlimited access to a digital library. IR-1 is staffed by highly trained specialists, and businesses can renew the subscription upon expiry.
Get in touch with us to learn more about IR-1.