New kind of ransomware hits like a tsunami

A novel kind of cyber attack combining ransomware and supply chain vulnerability has affected hundreds of managed service providers (MSPs) and their clients. The attack, which happened just before the Fourth of July holiday weekend, is being described as the single largest global ransomware attack to date.

It’s attributed to the Russian REvil cyber gang which is already notorious for advanced persistent threat (APT) attacks – highly sophisticated, targeted cyber attacks in which the intruder gains access to a network and remains undetected for a long time, trawling for logins, passwords and data.

Those affected by the attack were hundreds of MSPs who use the Kaseya systems remote management and monitoring software, VSA, to automate IT systems for corporations worldwide.

VSA software helps MSPs to achieve greater profitability and it enables IT departments to save time by doing more with less – it provides comprehensive IT management, IT automation such as software updates and patching, and cyber security all in one.

By gaining access to Kaseya, the cyber gang gained access not only to MSPs around the world, but to their clients too.

As usual with ransomware attacks, the victims’ data was encrypted and corrupted before they received massive payment demands for the release of the data.

But with the REvil gang, they up the ante by backing up all the data before issuing the ransom, thereby giving themselves extra bargaining power, i.e. if you don’t pay up, we’ll leak your data to the dark web or sell it on the black market. This next-level approach is a likely result of ransomware victims not paying up due to industry advice that it isn’t worthwhile to do so.

The State of Ransomware 2021 survey reported that of all the medium-size organisations who paid a ransom, only 8% were given their data back, so there’s no point in paying up.

Zero day attacks typically hone in on software vulnerabilities that developers haven’t had a chance to fix on the basis that while the vulnerability is being fixed they (the attackers) will have a limited but excellent opportunity to hit.

The vulnerability is still unknown

The problem with the latest attack is that developers haven’t yet worked out what the vulnerability is. The malware seems only to have affected VSA on-premise software – those using VSA software-as-a-service from the cloud are unaffected.

“We are in the process of investigating the root cause of the incident with an abundance of caution but we recommend that you IMMEDIATELY shutdown your VSA server until you receive further notice from us. It’s critical that you do this immediately, because one of the first things the attacker does is shut off administrative access to the VSA,” said Kesaya in a public statement.

Cyber experts have called REvil’s attack a “ransomware tsunami” for the way it struck without warning and caused instant destruction by wiping out so many systems in one go.

Ways to weaken the threat of ransomware

There’s no definitive way to secure your network completely. Your best strategy is:

  • Not to pay the ransom – paying it only encourages attackers to carry on with their strategy.
  • To use the most comprehensive security strategy available to you, i.e. a solution that covers backup AND cyber security all in one.
  • To keep your data automatically backed up – you will then be able to recover your data by restoring it instead of paying for it to (maybe) be restored by a ransomware attacker.
  • To use content scanning and filtering on your mail server.
  • To make a concerted effort to improve your staff/user awareness – education in cyber security is a valuable defense.
  • Never to provide personal info when answering a phone call or any electronic communication.
  • To use strong passwords, preferably with multi-factor authentication.
  • To keep all your software up to date with the latest operating systems and patches – vulnerabilities due to unpatched software makes it easy for attackers.

If you’re at all concerned about your cyber security strategy, please get in touch to talk through your options.

Do you have proper data protection in place?

New all-in-one cyber security and backup product gives more peace of mind


Get a 14-day free trial

Step 1 of 2

  • Sign up for your
    Free Trial

    Please complete the form to sign up for your free trial. For all our other products, please contact us for a consultation.

  • I have read and understand IronTree Internet Services CC's privacy notice.

  • Hidden
  • I have read and understand IronTree Internet Services CC's privacy notice.

  • I have read and understand IronTree Internet Services CC's privacy notice.

  • I have read and understand IronTree Internet Services CC's privacy notice.

We are taking all necessary precautions around the COVID-19 situation. Our offices are closed and our team members have each been set up to work remotely in self-isolation at home. As far as possible IronTree will maintain business as usual. All our resources such as server platforms, transactional capacity, telephony and electronic communications, including video meeting facilities, have been configured in the cloud and are 100% operational. Please feel free to contact us if you require our assistance. Stay safe!
One of our team members will be happy to help answer any questions you have!
Just click the chat icon in the right-hand corner.