A novel kind of cyber attack combining ransomware and supply chain vulnerability has affected hundreds of managed service providers (MSPs) and their clients. The attack, which happened just before the Fourth of July holiday weekend, is being described as the single largest global ransomware attack to date.
It’s attributed to the Russian REvil cyber gang which is already notorious for advanced persistent threat (APT) attacks – highly sophisticated, targeted cyber attacks in which the intruder gains access to a network and remains undetected for a long time, trawling for logins, passwords and data.
Those affected by the attack were hundreds of MSPs who use the Kaseya systems remote management and monitoring software, VSA, to automate IT systems for corporations worldwide.
VSA software helps MSPs to achieve greater profitability and it enables IT departments to save time by doing more with less – it provides comprehensive IT management, IT automation such as software updates and patching, and cyber security all in one.
By gaining access to Kaseya, the cyber gang gained access not only to MSPs around the world, but to their clients too.
As usual with ransomware attacks, the victims’ data was encrypted and corrupted before they received massive payment demands for the release of the data.
But with the REvil gang, they up the ante by backing up all the data before issuing the ransom, thereby giving themselves extra bargaining power, i.e. if you don’t pay up, we’ll leak your data to the dark web or sell it on the black market. This next-level approach is a likely result of ransomware victims not paying up due to industry advice that it isn’t worthwhile to do so.
The State of Ransomware 2021 survey reported that of all the medium-size organisations who paid a ransom, only 8% were given their data back, so there’s no point in paying up.
Zero day attacks typically hone in on software vulnerabilities that developers haven’t had a chance to fix on the basis that while the vulnerability is being fixed they (the attackers) will have a limited but excellent opportunity to hit.
The vulnerability is still unknown
The problem with the latest attack is that developers haven’t yet worked out what the vulnerability is. The malware seems only to have affected VSA on-premise software – those using VSA software-as-a-service from the cloud are unaffected.
“We are in the process of investigating the root cause of the incident with an abundance of caution but we recommend that you IMMEDIATELY shutdown your VSA server until you receive further notice from us. It’s critical that you do this immediately, because one of the first things the attacker does is shut off administrative access to the VSA,” said Kesaya in a public statement.
Cyber experts have called REvil’s attack a “ransomware tsunami” for the way it struck without warning and caused instant destruction by wiping out so many systems in one go.
Ways to weaken the threat of ransomware
There’s no definitive way to secure your network completely. Your best strategy is:
- Not to pay the ransom – paying it only encourages attackers to carry on with their strategy.
- To use the most comprehensive security strategy available to you, i.e. a solution that covers backup AND cyber security all in one.
- To keep your data automatically backed up – you will then be able to recover your data by restoring it instead of paying for it to (maybe) be restored by a ransomware attacker.
- To use content scanning and filtering on your mail server.
- To make a concerted effort to improve your staff/user awareness – education in cyber security is a valuable defense.
- Never to provide personal info when answering a phone call or any electronic communication.
- To use strong passwords, preferably with multi-factor authentication.
- To keep all your software up to date with the latest operating systems and patches – vulnerabilities due to unpatched software makes it easy for attackers.
If you’re at all concerned about your cyber security strategy, please get in touch to talk through your options.
Do you have proper data protection in place?
New all-in-one cyber security and backup product gives more peace of mind