In some ways, the ransomware attack involving Kaseya is a perfectly logical extension of everything we’ve seen since the end of last year with the disclosure of the SolarWinds attacks: the merger of supply chain exploits with ransomware to kickstart distribution, an even higher bar for extortions, and the same overall ecosystem at work. In other words, no surprises.
Unlike in some sports, there’s no timeout and no gentlemanly skunk or mercy rule to call off a one-sided disaster. It’s time for organizations to take stock and improve their game. That begins with understanding what happened in this attack.
On July 2, American software company Kaseya announced that it had learned of a potential security incident involving its VSA unified remote monitoring & management software. It urged customers to disconnect their VSA server until they received further notice from the IT and security management solutions provider.
A day later, Kaseya confirmed that ransomware attackers had targeted its VSA software product. Huntress examined the forensic patterns, ransomware notes, and TOR URL associated with the attack. In doing so, it found evidence to suggest that the REvil/Sodinokibi gang was responsible.
Kaseya said on July 3 that it had isolated the source of the vulnerability behind the attack and that it was working on a patch. As reported by Bleeping Computer, Dutch security researchers had previously reached out to Kaseya about the vulnerability. The company was in the process of validating the patch before rolling it out to customers when the REvil/Sodinokibi gang used the same flaw to stage its attack.
How did REvil/Sodinokibi beat Kaseya to it? It’s entirely possible that they independently discovered the vulnerability, that they were quicker to respond to notifications, or that someone on the inside leaked it intentionally or inadvertently due to a system compromise.
Vulnerability management is not trivial, and it needs urgency from organizations to correct. It generally takes longer to patch systems than it does for an attacker to develop and use an exploit.
Kaseya said on July 3 of the incident that “[o]nly a very small percentage of our customers were affected – currently estimated at fewer than 40 worldwide.” That might be true, but it appears that the ransomware attack ultimately affected at least 1,500 businesses worldwide. Those victims included a Swedish grocery chain and an unnamed IT services company in Germany, per NPR.
Security researchers told Bleeping Computer that REvil/Sodinokibi was demanding $44,999 from MSP customers affected by the attack and that it was asking $5,000,000 for victims to receive a decrypter from one of the samples.
But then the attackers changed their minds. In an apparent about-face, the REvil/Sodinokibi gang said that they were willing to negotiate the release of a universal decrypter for $70 million. That’s more than what the attackers asked from both Acer and Apple earlier this year.
Why did they do this, you ask? There may be honor among thieves with each other, but to them the rest of the world is simply the cash cow that needs milking. This is not a matter of honor, it’s just business.
We have a highly profitable criminal organization with close to zero risk, no accountability, motivated by greed, and having no scruples. It’s a wonder that their price tag is only at $70 million and not higher. Have we ever seen a company say, “Hey, slow down, we’re making too much money and should stop”? No, we haven’t, and we won’t see it now with a criminal organization, either.
In response, Kaseya had some very difficult arithmetic to do. This is an existential question for them, and it must not be pleasant on the inside. Balanced against the $70 million is the total cost to recover, the need to re-architect, the question of the amount of insurance they have or don’t, the need to regain trust, the almost certain inability to avoid secondary attacks due to the nature of the data harvested, and the follow on attacks that might come from other gangs - or even a repeat attack by the same ransomware cartel.
In fact, a recent Cybereason report titled Ransomware: The True Cost to Business, found that 80% of organizations that paid a ransom were hit by a second attack, and almost half of those were hit by the same threat group.
The Kaseya supply chain attack portends other ransomware incidents that will involve MSPs. As such, it’s time for executives and IT professionals, in addition to the traditional security mandate, to take stock of themselves and ask not just the question of who would want to attack them but who might seek to attack through them.
With great power comes great responsibility, and it’s time for everyone to ask not just the fashionable “how could my supply chain be used against me?” but also “how could I be used against those I supply?”
Using those answers, every MSP out there should be kicking into high gear and recalculating their risk assessments, ensuring their incident response practices are strong, and doing an honest assessment of what they can and can’t do for themselves let alone for their customers.
MSPs aren’t the only ones that need to reevaluate their security. Indeed, if companies everywhere keep hitting the snooze button, eventually they should expect to lose their jobs. If this doesn’t wake organizations up, not much will.
Case in point: the Cybereason ransomware report revealed that 32 percent of organizations reported losing C-Level talent as a direct result of ransomware attacks, and 29 percent reported being forced to layoff employees due to financial pressures following a ransomware attack. The struggle is real.
As with previous attacks, this is another chance for security and IT risk executives to start a new dialog with the heart of their businesses and, most importantly, to get help if they need it from experts in the community. Getting in front of the ransomware threat by adopting a prevention-first strategy for early detection will allow organizations to stop disruptive ransomware attackers before they can hurt the business.