Ransomware Technology

Explained | Kaseya and the massive cyberattack affecting 1,500 businesses globally

Kaseya and the massive cyberattack affecting 1,500 businesses globally.   | Photo Credit: Reuters

On July 2, Kaseya, a Miami-based software provider to over 40,000 organisations, announced that it was investigating a potential cyberattack. A day later, the IT solutions developer for managed service providers (MSPs) and enterprise clients confirmed that it had been hit by a ‘sophisticated cyberattack’.

(Subscribe to our Today's Cache newsletter for a quick snapshot of top 5 tech stories. Click here to subscribe for free.)

According to CEO Fred Voccola, between 800 and 1,500 businesses around the world have been affected by the ransomware attack.

In an interview to Reuters, he noted that the precise impact of the attack could not be estimated since businesses impacted were customers of Kaseya’s customers.

On Sunday, Russia-linked hacking group REvil put out a blog on the dark web confirming its hand in the attack. REvil demanded $70 million to restore the data. The group was also responsible for hacking the world’s largest meat processor JBS in May.

What does Kaseya sell?

Kaseya sells comprehensive integrated IT management platform to other companies. It also provides tools such as VSA (Virtual System/Server Administrator) and other remote-monitoring and management tools to organisations to handle networks endpoints. Kaseya also provides compliance systems, service desks and services automation platform services.

The Florida-based company’s impact can be understood from the fact that more than 40,000 organisations around the world use one or all of Kaseya’s IT tools, making it central to software supply chain of hundreds of businesses around the world.

What went wrong?

According to FBI, the recent supply-chain ransomware attack was cause by leveraging a vulnerability in Kaseya VSA software against multiple MSPs and their customers.

VSA lets an organisation remotely manage servers and other hardware, along with software and services. The software is used by large corporations, and service providers who manage system administration for companies that do not have their own IT departments.

According to security expert, Kevin Beaumont, an apparent automated fake software update in the product delivered the REvil ransomware. The malware had administrator rights down to client systems, meaning MSPs attacked would then infect their client’s systems.

Beaumont explained in a blog post that the attacker immediately stopped administrator access to VSA, and then added a task called “Kaseya VSA Agent Hot-fix”. This fake update was then deployed across the estate including MSP client customers’ systems. The management agent update was actually REvil ransomware and the organisations that were not Kaseya’s customers were still encrypted.

The ransomware allowed hackers to disable antivirus and run a fake Windows Defender app, following which the files on the computer were encrypted and couldn’t be accessed without a key.

Cybersecurity firm Huntress tracked over 30 MSPs where Kaseya’s VSA was used to encrypt well over 1,000 businesses. It confirmed with high confidence that cybercriminals exploited an arbitrary file upload and code injection vulnerability that was used to gain access into the servers.

In July 5 update, Kaseya said that the patch for on-premises customers, software installed and run on computers on the premise of the person rather than a remote facility, has been developed and was going through testing and validation. The company expects to bring its Software-as-a-Service (SaaS) servers back online on July 6 between 2 PM and 5PM EDT.

Size of impact

REvil, on its blogged that more than a million systems were infected. A Swedish supermarket chain had temporarily closed 800 of its stores across the country as they were unable to open their cash registers.

While the directly infected clients could be a small number, MSPs and SMB customers lower in the chain could be impacted heavily.

As of July 2, cybersecurity firm Sophos’s analysis showed that more than 70 managed service providers were impacted, resulting in more than 350 further impacted organisations.

Huntress said on Reddit that about 1,000 companies have had their servers encrypted while thousands of small businesses may have been impacted.

The incident has forced security experts to call it one of the farthest-reaching criminal ransomware attacks they have ever seen.

What next?

A ransomware note by REvil says that all files are encrypted and currently unavailable. It added that everything could be recovered only if instructions are followed.

“Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests,” the note reads.

Sophos analyst Mark Lohan shared a picture on Twitter of an infected server where the demand if $44,999 if the endpoint is hit. There are reports that ransomware demands of up to $5 million have been made to individual organisations as well.

While FBI and CISA released a joint statement urging customers to follow a few guidelines, the White house asked organisations to inform the Internet Complaint Centre in case their servers have been compromised. Besides, US President Joe Biden has directed intelligence agencies to investigate the matter.

The demand to recover from the attack is $70 million in bitcoins. The gang noted that they will publish publicly decryptor that decrypts files of all victims and everyone will recover from the attack in an hour.

The amount demanded is the largest-ever ransom demand ever known. It needs be seen how Kaseya will respond.


Our code of editorial values

This article is closed for comments.
Please Email the Editor

Printable version | Sep 27, 2021 1:21:35 AM | https://www.thehindu.com/sci-tech/technology/explained-kaseya-and-the-massive-cyberattack-affecting-1500-businesses-globally/article35167820.ece

Next Story