The Kaseya Ransomware Attack, the Supply-Chain Threat, and What You Can Do

There has been a lot of news and some speculation about the ransomware attack on the Kaseya VSA software. 

Here’s what’s happened so far.

Cybercriminals exploited several vulnerabilities on Kaseya’s VSA on-premises product to attempt to install ransomware onto computers and servers managed by the Kaseya VSA. IT departments and MSPs use the VSA software for remote monitoring and management. By targeting the VSA software, the criminals were able to infect some of the systems of Kaseya customers and, through its MSP customers, some of Kaseya’s customers’ customers as well.

The attack took place on Friday, July 2. Kaseya shut down the VSA SaaS infrastructure and recommended that all on-premise VSA customers shutdown their servers until a verified patch could be produced and distributed. Kaseya began working with partners to resolve the issues as part of its response plan. The company has run into problems updating both the SaaS and on-premise software, delaying the fixes thus far.

In all, Kaseya says about 50 customers were compromised, about 40 of them MSPs, and fewer than 1,500 hundred total companies worldwide have been compromised. Some researchers say the impact is greater. One example of third-party impact was a grocery store chain in Sweden that had to close because the attack shut down its cash registers.

As of this writing, it is unknown if Kaseya will pay the $70 million ransom demand. Kaseya VSA customers are also receiving ransom demands.

Supply-chain attack trend

While most ransomware is a crime of opportunity that exploits a vulnerability within a single IT system, ransomware that targets the IT supply chain is specific, strategic, and well-researched. To pull off this attack, cybercriminals studied Kaseya software and leveraged it to conduct a widespread, coordinated attack on Kaseya’s customers.

This supply-chain attack is similar to the SolarWinds attack — both attacks targeted companies that provide technology management software for IT departments and MSPs. Using the supply chain enables attackers to maximize the reach of their malware and, therefore, maximize their results. For ransomware, this means more potential payouts from more victims. The SolarWinds attack allowed hackers to remotely take control of systems while the Kaseya attack was ransomware.

Leapfrog believes the SolarWinds and Kaseya attacks point to a disturbing trend in which hackers seek to magnify the impact of zero-day vulnerabilities by going after all kinds of supply chains.

Other possible trends

Another trend we see is the desire of the attackers not to go overboard with their demands. The Colonial Pipeline $5 million ransom demand could’ve been higher (the company was also able to retrieve part of the paid ransom) and the Kaseya ransom demand can be met with a single payout of $70 million instead of what might add up to billions of dollars if the attackers ransom every affected company.

REvil, the group that’s claimed responsibility for the Kaseya attack, is the same group that hit meatpacker JBS with an $11 million ransom demand in June. The criminal hacking group DarkSide claimed to have attacked Colonial Pipeline in May. Both REvil and DarkSide are based in Russia and it’s believed Russia’s Foreign Intelligence Service, or SVR, is responsible for the SolarWinds attack.

However, at this time, there’s no clear line from REvil or DarkSide to the SVR. So while hackers in Russia are attacking the U.S., this does not indicate a nation-state cybercrime trend as some news reports have hinted.

Leapfrog uses Kaseya software but was not directly impacted

Leapfrog uses Kaseya VSA on-premises software but Leapfrog’s system wasn’t hacked and none of our clients were impacted by the malware through Leapfrog. Leapfrog is leaving Kaseya services offline until Kaseya is finished with its review and provides the runbook we’ll use to harden the systems. The effect on our customers includes delays in patching and the lack of visibility into operating systems while the services are offline (infrastructure monitoring has remained active throughout the event).

The single Leapfrog client that was a victim of the attack was hit through one specific system that is managed by another IT provider. This vendor couldn’t adequately assist all of its customers, leaving our client unable to do business heading into the Independence Day weekend. Leapfrog stepped in on Friday afternoon and worked through the night to have production ready by Saturday morning.

What you can do to protect your company from similar attacks

  1. Protect against ransomware: 
  • Make your backups ransomware-resistant
  • Segment your IT environment
  • Update and test your Incident Response Plan (IRP)
  • Use MFA
  • Train your employees
  • Add Early Detection Response (EDR) technology
  • For more, see Is Your Organization Ransomware-Ready?
  1. Protect against third-party risk: 
  1. Create systemic security improvements: 
  1. Take steps to ensure you can get cyber insurance: 

Cybersecurity in the age of supply-chain attacks

Third-party risk management and having multiple layers of security are more critical than ever — and it’s going to stay that way. As a company, you can be doing everything right but if one of your vendors is not, you can still be at risk. Talk with your IT security experts about your current vulnerabilities. Dive deep and look at everything if you haven’t already. Move up the IT security scale as quickly as you reasonably can and insure what you can’t fully protect.

You may never know about the attacks your company avoided by hardening your systems but staying up and running is a worthy reward.