Hackers hit a range of IT management companies and compromised their corporate clients by targeting a key software vendor called Kaseya. On Monday, the attackers requested a $70 million payment in bitcoin in exchange for a decryption tool that could help victims recover from the attack.
Kaseya is the latest ransomware victim in a string of attacks that have also hit major fuel supplier Colonial Pipeline and meat processor JBS Foods, prompting worries among researchers, corporate leaders and US officials about cyber risks to physical and digital infrastructure.
Given that the attack hit just before a holiday weekend, the full extent of the damage may not be known until this week. Here’s what we know so far.
Who was affected?
On Friday afternoon, Kaseya was alerted to a potential attack involving a remote management software called VSA, the company said in a statement. Within an hour, it shut down access to that software in an effort to stem the attack’s spread. By Saturday, US officials said they were tracking the attack.
Kaseya provides technology that helps other companies manage their information technology — essentially, the digital backbone of their operations. In many cases, Kaseya sells its technology to third-party service providers, which manage IT for other companies, often small- and medium-sized businesses. In short, by targeting Kaseya’s software, attackers had easier access to a range of different companies’ networks.
Over the weekend, experts said the attack had already knocked out at least a dozen IT support firms that rely on Kaseya’s remote management tool. The incident not only affects Kaseya’s IT management customers, but also those companies’ corporate clients that have outsourced IT management to them.
Kaseya on Tuesday said around 50 of its customers that use the on-premises version of VSA had been directly compromised by the attack — but it said as many as 1,500 downstream businesses around the world have been compromised. These include dentists’ offices, small accounting offices and local restaurants, the company said.
Kaseya’s chief executive, Fred Voccola, added in an interview with Reuters Monday it is hard to gauge the full impact of the attack, but he was not aware of any nationally important organizations being compromised in the attack.
“We’re not looking at massive critical infrastructure,” he told Reuters. “That’s not our business. We’re not running AT&T’s network or Verizon’s 911 system. Nothing like that.”
Who was behind it?
REvil is the criminal hacking gang whose malware was behind the Kaseya attack, cyber researchers have said.
The group, which is believed to operate out of Eastern Europe or Russia, is one of the most infamous “ransomware-as-a-service” providers, meaning it supplies tools for others to carry out ransomware attacks and takes a cut of the profits. It also executes some of its own attacks.
Experts have been tracking REvil since it emerged in 2019 and quickly became a sort of “thought leader” in the hacking space, said Jon DiMaggio, the chief security strategist at cybersecurity firm Analyst1 who tracks ransomware groups. Several hacking groups, including the DarkSide gang that carried out the Colonial Pipeline attack in May, are thought to have been created by people who originally worked for REvil, DiMaggio said.
REvil is believed to operate out of Eastern Europe or Russia because its representatives communicate online in Russian and its attacks are generally designed to avoid Russian devices, experts say. US officials have urged Russia to take action to prosecute cybercriminal groups operating within the country.
REvil was also behind several other recent, high-profile ransomware attacks — it hit JBS Foods last month, Apple ( supplier Quanta Computer )in April and electronics maker Acer in March.
About the timing…
It’s not surprising that the attack hit just ahead of a major holiday weekend. Experts say holidays and long weekends are the best times for hackers to execute ransomware attacks because it gives them more time to encrypt files and devices before anyone has a chance to notice and respond.
Executing the attack on Fourth of July weekend, in particular, may have also been intentional, according to DiMaggio.
After US officials took out DarkSide following the Colonial Pipeline attack and reclaimed some of the ransom it had received, REvil took to online hacking forums to say that ransomware groups would not be deterred by the United States, DiMaggio said.
“They’ve always seemed anti-US but especially since the DarkSide takedown, and now we’re seeing this massive attack against our infrastructure on Independence Day weekend,” he said. “I think it’s sending a very strong message.”
How has the White House responded?
The White House has urged companies who believe their systems were compromised by the attack to immediately report it to the Internet Crime Complaint Center.
“Since Friday, the United States Government has been working across the interagency to assess the Kaseya ransomware incident and assist in the response,” said Anne Neuberger, deputy national security advisor for cyber and emerging technology, on Sunday. “The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) have been working with Kaseya and coordinating to conduct outreach to impacted victims.”
President Joe Biden also said in a press briefing over the weekend that, while officials are still investigating the source of the attack, the United States could retaliate if the Russian government is involved.
“If it is either with the knowledge of and/or the consequence of Russia, then I told Putin we will respond,” Biden said Saturday, referring to his meeting with the Russian leader last month. “We’re not certain. The initial thinking it was not the Russian government but we’re not sure yet.”
What should we learn?
The attack on Kaseya points to a popular target for ransomware attackers: Managed Service Providers. MSPs such as Kaseya’s customers allow companies to outsource certain software and services, such as IT management, to third parties, which can help avoid the cost of having to employ such experts in-house.
SolarWinds — the company that was hit by a devastating security breach last year — similarly provides IT management software to many Fortune 500 firms and government agencies.
While attacks on these kinds of providers are not new, MSPs represent a big opportunity for hackers because of the way they interact with other companies’ networks, DiMaggio said. In many cases, there are no technical checks on software updates coming from these providers because they are considered “trusted” partners, potentially leaving customers vulnerable to bad actors that could embed ransomware payloads into those updates.
“There’s going to have to be more checks and balances for any third-party vendor,” he said.