On July 2, 2021, Kaseya Ltd., a Florida-based firm that provides software tools to thousands of primarily small and mid-sized businesses, became the latest victim of a high-profile ransomware attack. The attack is believed to have affected as many as 1,500 of Kaseya’s customers throughout the world, including at least 200 businesses in the United States. The attackers, who have claimed association with the Russia-linked REvil ransomware gang, have demanded an astronomical $70 million ransom to restore services for affected businesses.
The Kaseya attack was particularly devastating and effective because it was a supply chain attack, meaning it targeted a type of software that many other companies use to manage and distribute software updates. Thus, the attack not only affected Kaseya, but also potentially all of its customers.
The Kaseya attack appears to be two-pronged:
- First, the threat actors attacked dozens of managed service providers using a “zero day” attack against Kaseya’s Virtual Server Administrator, which is used to send out software updates to systems on Kaseya’s clients’ computer networks.
- Second, the threat actors deployed the REvil ransomware malware to those customers that relied on Kaseya as a managed service provider.
Recent reports indicate that Kaseya may have been aware of certain flaws in their Virtual Service Administrator software and that the company had been attempting to address these flaws before the attack was launched.
Kaseya’s software tools are used predominantly by small and mid-sized businesses, so the majority of victim companies affected globally were smaller businesses, such as dental offices or accountancies. There were, however, many serious repercussions to this attack. For example, Sweden was forced to close hundreds of affected supermarkets, and New Zealand reported that many schools were forced offline.
Earlier this month, President Biden signed an Executive Order establishing baseline cybersecurity standards for U.S. agencies and their software contractors. The Executive Order included mandates for, among other things, multi-factor authentication and data encryption. Similarly, in an effort to reduce attacks, the United States Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) released a Ransomware Guide to increase awareness of some of the more common methods hackers use to gain entry into a system and how to avoid them.
Details on the specifics of the Kaseya attack are still being released to the public, so it is unknown how the threat actors gained access to Kaseya’s system. Kaseya also has yet to release any information regarding negotiations with the threat actors and whether any ransom has been paid.
This is yet another reminder that no company is immune to attack. Companies must be prepared for possible ransomware attacks and should look not only to their own systems, but also to those of their vendors, business partners, and other companies to which their networks may be connected or associated.