The Kaysea ransomware attack: who's behind it?
Kaseya, an IT solutions developer for MSPs and enterprise clients, announced that it had become the victim of a cyberattack over the American Independence Day weekend. It appears that attackers carried out a supply chain ransomware attack by leveraging a vulnerability in Kaseya's VSA software against multiple managed service provider (MSP) – and its customers.
According to Kaseya CEO Fred Voccola, less than 0.1 per cent of the company's customers were embroiled in the breach, but as its clientele includes MSPs, this meant that smaller businesses were also caught up in the incident. Those affected included supermarkets in Sweden and schools in New Zealand.
What happened?
On July 2 Voccola announced "a potential attack against the VSA that has been limited to a small number of on-premise customers." At the same time, out of an abundance of caution, Voccola urged clients to immediately shut down their VSA servers. "It's critical that you do this immediately because one of the first things the attacker does is shut off administrative access to the VSA," the executive said.
Customers were notified of the breach via email, phone, and online notices. As Kaseya's Incident Response team investigated, the vendor also decided to proactively shut down its SaaS servers and pull its data centres offline.
By July 4, the company had revised its thoughts on the severity of the incident, calling itself the "victim of a sophisticated cyberattack." Cyber forensics experts from FireEye's Mandiant team, alongside other security companies, were pulled in to assist. "Our security, support, R&D, communications, and customer teams continue to work around the clock in all geographies to resolve the issue and restore our customers to service," Kaseya said, adding that more time is needed before its data centres are brought back online.
In a July 5 update, Kaseya said that a fix had been developed and would first be deployed to SaaS environments, once testing and validation checks are complete. "We are developing the new patch for on-premises clients in parallel with the SaaS Data Centre restoration," the company said. "We are deploying in SaaS first as we control every aspect of that environment. Once that has begun, we will publish the schedule for distributing the patch for on-premises customers."
Who was behind the attack?
Affiliates of the Russian hacker group REvil have claimed responsibility for the attack. According to cybersecurity company Palo Alto Networks, REvil has emerged as one of the world’s most notorious ransomware operators. In just the past month, it extracted an $11 million payment from the US subsidiary of the world’s largest meatpacking company based in Brazil, demanded $5 million from a Brazilian medical diagnostics company and launched a large-scale attack on dozens, perhaps hundreds, of companies that use IT management software from Kaseya VSA.
While REvil (which is also known as Sodinokibi) may seem like a new player in the world of cybercrime, Palo Alto Network's Unit 42 has been monitoring the threat actors tied to this group for three years. "We first encountered them in 2018 when they were working with a group known as GandCrab. At the time, they were mostly focused on distributing ransomware through malvertising and exploit kits, which are malicious advertisements and malware tools that hackers use to infect victims through drive-by downloads when they visit a malicious website," the company said.
That group morphed into REvil, grew and earned a reputation for exfiltrating massive data sets and demanding multimillion dollar ransoms. It is now among an elite group of cyber extortion gangs that are responsible for the surge in debilitating attacks that have made ransomware among the most pressing security threats to businesses and nations around the globe.
Ransomeware as a service
Palo Alto Network says REvil is one of the most prominent providers of ransomware as a service (RaaS). This criminal group provides adaptable encryptors and decryptors, infrastructure and services for negotiation communications, and a leak site for publishing stolen data when victims don’t pay the ransom demand. For these services, REvil takes a percentage of the negotiated ransom price as their fee. Affiliates of REvil often use two approaches to persuade victims into paying up: They encrypt data so that organisations cannot access information, use critical computer systems or restore from backups, and they also steal data and threaten to post it on a leak site (a tactic known as double extortion).
Threat actors behind REvil operations often stage and exfiltrate data followed by encryption of the environment as part of their double extortion scheme. If the victim organisation does not pay, REvil threat actors typically publish the exfiltrated information. "We have observed threat actors who are clients of REvil focus on attacking large organisations, which has enabled them to obtain increasingly large ransoms. REvil and its affiliates pulled in an average payment of about $2.25 million during the first six months of 2021 in the cases that we observed," Palo Alto Networks says.
The size of specific ransoms depends on the size of the organisation and type of data stolen. Further, when victims fail to meet deadlines for making payments via bitcoin, the attackers often double the demand. Eventually, they post stolen data on the leak site if the victim doesn’t pay up or enter into negotiations.
Voccola, told Reuters he could not confirm whether Kaseya would pay the $70m ransom or negotiate with the hackers for a lower cost: “No comment on anything to do with negotiating with terrorists in any way,” he said.