The Kaseya Breach Impact – It’s Big
When a ransomware attack strikes, it’s usually bad news for the targeted company. But the latest major ransomware attack has affected up to 1,500 businesses. That’s because the Kaseya attack is the latest example of a particularly nasty tactic where the extortionists go after a software supply chain. Please find more details below on the overall impact of the Kaseya breach.
A Ransomware Recap
In case you’re uncertain about what ransomware means, let’s go back to basics. Ransomware is a form of malicious software designed to make files inaccessible to the legitimate user, most commonly by encrypting them. Depending on the setup, this attack can stop the user from accessing personal or business documents or even leave them unable to use devices and systems altogether.
The victim then gets a demand for payment, usually through a cryptocurrency such as Bitcoin that’s difficult to trace. In theory, paying the ransom leads to the attacker providing a key to decrypt the files, although whether that happens may depend on the attacker’s tactics.
As well as the initial disruption, some attackers double down on the extortion by threatening to publish the compromised document files online.
An Unusual Victim
The latest high-profile attack has a twist because the company whose system was breached, Kaseya, is not the only victim. That’s because Kaseya provides computing services directly to businesses and indirectly through managed service providers, which take care of a business’s IT needs. Among its services, Kaseya offers tools for remote monitoring and management of networks and devices.
The attackers were able to exploit an authentication bypass vulnerability in these tools; that means they exploited a bug. Rather than force their way past login checks by figuring out passwords or other identity checks, they avoided the need to log in altogether.
That workaround gave them access to the monitoring and management tools that, by design, allow significant access to the devices and systems involved. They used this access to put malware on the systems, disguising it as a Kaseya software update to buy time before anyone realized what happened. The attack was likely timed around the U.S. Independence Day holiday weekend to take advantage of businesses that reduced or delayed their regular security checks, only furthering the Kaseya breach’s impact.
Kaseya has noted that only a few dozen of its 40,000 customers were hit directly by the attack. It also said that no critical infrastructure was affected, stressing that the attackers didn’t compromise the company’s system for legitimate software updates.
The problem is that many of the affected customers were themselves serving other businesses, with estimates ranging between 800 and 1,500 businesses disrupted. The most dramatic effect has been in Sweden, where a grocery store chain had to close because its cash registers were made inoperable.
The attack appears to be the work of a Russian group dubbed REvil that operates a foul business model called “ransomware as a service.” It hires out its technical know-how and capacity to install ransomware on behalf of clients. Then, instead of a fixed fee, it takes a percentage of any payments that victims make to the client. REvil even offers a “customer service hotline” to make it easier for victims to pay up, particularly if they are unfamiliar with cryptocurrencies.
With this attack, it seems the attackers are hoping for a massive ransom payment (reportedly $70 million) from Kaseya rather than going after the individual victims. While Kaseya hasn’t commented publicly on any dealings with the attackers, it faces an unenviable choice between angering customers by failing to act or paying up and risking encouraging further attacks.
Lessons to Learn
In this specific case, while the impacts of the Kaseya breach were far-reaching, most of the affected businesses did little if anything wrong that increased their chances of being hit. (That said, good security practices and defenses remain vital for reducing the risk of suffering a direct ransomware attack.)
The attack is a reminder that cybersecurity isn’t just about preventing damage but also preparing to deal with it. Disaster recovery plans, including thinking about what you’d do if key files, systems, or even devices were out of action, can mitigate the risks of ransomware.