Ransomware Part II: The Kaseya Attack

Ransomware Part II: The Kaseya Attack

On July 2nd of this year, a Russia-based, professional hacking group called REvil hit the managed IT service provider Kaseya with a massive ransomware attack, affecting roughly sixty managed service providers and nearly 1500 businesses worldwide. REvil asked for $70 million in ransom to decrypt the files at first, then later dropped their demand to $50 million. Immediately following the attack, Kaseya took all of its cloud-based systems offline, and instructed their customers to immediately disconnect any physical, legacy servers that housed Kaseya software at their businesses as well.

Then something strange happened. About ten days after the attack, REvil's websites and servers began to shut down without warning or explanation. Speculation abounds as to what led to the shuttering of REvil's web presence, including rumblings that either Russian or US authorities (or some combination of the two) had begun to actively suppress the criminals' operations. There is no concrete evidence to date to suggest this is the case.

Then about ten days after that, Kaseya received the universal decryption software necessary to unlock their files from an unidentified and, as they put it, "trusted third-party." They immediately began distributing it to their clients so they could unlock their files. Finally, just this week, an anonymous user on a hacking forum posted the decryption software for public use. Early testing of the decryption software suggests that it's legitimate, though it only seems to work for the attack on Kaseya and not on other REvil attacks.

Even though it seems that the worst of the attack has passed, this episode highlights the danger of ransomware attacks, specifically those involving large supply chains and other systems that involve a multitude of parties.Security protocols have become more robust over time, and hackers these days tend to stay away from directly attacking a firm's central network. Instead, they look for weaknesses in supply chain and vendor management software. REvil exploited an authentication weakness in Kaseya's Virtual System Administrator software(VSA), which is used to manage hard ware from multiple third-parties contracted with Kaseya's clients. Once they had access to VSA, they could use it to distribute their malware to other nodes in the system, piggy backing into those clients' main networks, allowing REvil to target multiple clients at once. Similar attacks occurred on Target and Home Depot in the past few years, both of which were the result of security breaches in third-parties along the companies' supply chains.

Business firms often rely on long and complex supply chains to effectively run their businesses and produce goods. But it only takes one gap in the security infrastructure to endanger the entire system, unfortunately. Cyber criminals use all of their old tricks to breach weak points. Once they have a doorway in, they can release the malware into all of the connected systems. The longer the list of vendors, the more opportunities hackers have to break in.

Luckily, there are tools a firm can use to curb weaknesses in their supply chain. The first is continuous security monitoring. Continuous security monitoring occurs when a security team is constantly observing all of the end points within their organization as well as any endpoints within third-party vendors. There are many tools and programs available for firms to accomplish this. Moreover, it's always a good idea to work cybersecurity into a vendor's contract before on-boarding them. That way your client is kept apprised of your activity relating to security and everything remains above board. Likewise, a firm should assess a vendor's security posture, the measures they're taking to keep their own data safe, before agreeing to send or receive any information from them. Assessing the security of a vendor before contracting with them is must in order to maintain security along supply line. This is much harder to accomplish after contracting with a vendor, so it's advisable to have predictable protocols in place during negotiations to ensure bringing a new vendor into the system won't be a liability.

Next, firms need to constantly patch any security vulnerabilities within their own systems. A well trained security team will have automated systems in place to ensure this occurs. Moreover, employee and user habits should be assessed at regular intervals. Firms should know when employees are most likely to use their computers and for how long. That way any anomalies are easy to spot. Employees should also be trained using clear and predictable protocols relating to passwords, proprietary software, and company communications. This will help prevent phishing schemes and information theft, both of which can be used to breach supply chains.

Lastly, any physical media, such as proprietary servers, should be kept in secure locations away from normal business operations whenever possible. If a cyber criminal is able to personally examine a server or the server's code, it will be much easier for them to reverse engineer a malware program to exploit its vulnerabilities. Moreover, using on-site legacy servers adds an extra step to the security process as it requires an administrator to physically disconnect the servers from the local network in the event of an attack, unlike a cloud server which can be disconnected instantly from a centralized location. This was one of the problems that arose during the Kaseya attack, as many of the firms using Kaseya's software employed legacy media to store their data, which added vulnerabilities to their system.

The larger the operation, the harder it will be to manage all of these problems. Cyber attacks aren't going away, so it's increasingly important to have thorough procedures in place to prevent and mitigate any threats to your firm. Titan Tech offers many of the services listed above, and they can help you develop a security plan to keep business running smoothly and all of your customers and partners safe.

Join us soon for more tech news.