The Kaseya Ransomware Attack was perpetuated on KASEYA, an IT solutions developer for MSPs and enterprise clients. On July 2, 2021, Kaseya announced that it had become a cyberattack victim over the American Independence Day weekend.
Fred Voccola, CEO of Kaseya, said that less than 0.1% of the company’s customers were affected by the breach. But Kaseya’s clients, including MSPs, smaller businesses, and other organizations, were caught up in the incident.
“Criminals now see how powerful MSP attacks can be,” believes Victor Gevers, the head of the non-profit Dutch Institute for Vulnerability Disclosure. He further said, “they are already busy, have already moved on, and we have no idea where.” The Dutch Institute for Vulnerability Disclosure is the one that warned Florida-based Kaseya of the weaknesses before the attack.
Gevers elaborated that his team of researchers had discovered similar vulnerabilities in more MSPs; this is going to happen again & again,” he said, but he declined to tell any names because they had not yet fixed all the problems.
What happened in the Kaseya Ransomware Attack?
Investigators said that REvil, an affiliate of a top Russian-speaking ransomware gang, used two gaping flaws in software from Florida-based Kaseya to break into as many as 50 managed services providers (MSPs) that used its products.
Ransomware Attackers attempted a supply chain ransomware attack on Kaseya by leveraging a vulnerability in the company’s VSA software against multiple Managed Service Providers (MSP) and their customers.
Cyber security experts also estimate that 800 to 1500 small to medium-sized companies may have experienced a ransomware compromise through their MSP.
Experts further believe that a ransomware attack in July 2021 paralyzed about 1,500 organizations by compromising tech-management software from, yeah, you guessed it right, Kaseya. It set off a race among cybercriminals looking for vulnerabilities that resemble Kaseya’s.
Who’s responsible for the Kaseya Attack?
REvil, a full-fledged black hat red team operator and a ransomware-as-a-Service (RaaS) gang known as Sodinokibi, is behind the Kasyea ransomware attack. RaaS gangs sell their expertise to anybody who wants to ransom an organization for any purpose, typically driven by financial motivation.
REvil is known to conduct its campaigns in addition to selling ransomware services and is responsible for 300+ ransomware campaigns per month.
REvil’s ransomware attack on software provider Kaseya underscored the threats to supply chains that resonate perfectly with the attacks.
Flashpoint intelligence suggested that REvil appeared to be fully operational after its hiatus. Evidence also points to the ransomware group’s efforts to mend fences with former affiliates who have expressed unhappiness with the group’s disappearance.
Further, KPN, which tracks REvil’s increasing activities, and the increasing number of operations, suggested that their campaigns rose steadily in 2020 (as shown in the table below)
Month |
Number Of Campaigns |
December 2020 | 300 |
November 2020 | 300 |
October 2020 | 400 |
September 2020 | 100 |
August 2020 | 200 |
Who was impacted by the Kaseya Attack?
The Kaseya ransomware attack has impacted between 1200-1500 companies as well as almost 50 MSPs. For context, this represents 37,000 of Kaseya’s clients, or 0.001% of their total customer base. An MSP has several companies they service, and if one MSP is breached. It’s a downstream effect impacting all of their clients.
Kaseya has pushed the narrative that only a small percentage of its client base has been impacted, which is true, although there is potential for this attack to widen.
We’ve learned throughout these breach reports that it can take months to figure out the full implications of the attack. 50 impacted MSPs could turn into 100s, and those 1500 companies impacted could turn into 1000s.
Key factors to bear in mind for future ransomware attacks
- Ransomware groups will remain well funded from previous ransomware activities & former group members such as Maze. With the increasing number of attacks, ransomware groups are wealthier than ever, ensuring that they’ll continue to operate & carry out new attacks in the future.
- Chained exploits will be used, such as CVE 2021-30116, a software vulnerability with the Kaseya VSA servers that the hackers could exploit, allowing them to conduct a widespread attack targeting several Kaseya MSP clients. CVE 2021-30116 style of attacks resonates more with nation-states and the military.
- Attacks like Kaseya Ransomware Attack are very effective and allow hackers to infect many victims. In Kaseya’s case, they infected victims via an automatic software update that delivered the REvil ransomware, which encrypted the system’s content on that network, causing operational disruption across different organizations. What you should bear in mind is that trends like these will surely continue in future ransomware attacks.
How to prevent an attack like the Kaseya Ransomware attack?
Companies or even individuals should take the following steps to protect themselves from ransomware attacks:
Use Cyber-Security software from Imagine IT
Cyber-Security Products from Imagine IT has email scanning capabilities and can detect most viruses & malware on your computer. Even though attackers are developing new ways to breach a system while bypassing its antivirus security, you should still have an advanced form of protection that Imagine IT can provide.
Keep your OS Updated
Companies like Microsoft and Apple are constantly updating their operating systems for a reason. The security updates they provide contain fixes for bugs and vulnerabilities that hackers can exploit to attack. Cybersecurity is a cat-and-mouse game, which means that by running an outdated system, you remain a step behind the game and become more vulnerable to breaches from malicious actors.
Back-up your data
Ransomware only works if you don’t have a copy of your data. If you’re a company, backing up your data on the cloud (or a hard drive) makes you safe from attackers. Schedule backups consistently because you haven’t updated them in a year; the backup will have no value in a ransomware attack.
Raise security awareness in your organization
Ransomware attacks can always happen because of human error, resulting in terrible consequences for the entire organization. Educate your employees so that they realize the importance of being security-aware. Ensure that only a few administrators can access important data and have them use long credentials paired with multi-factor authentication.
Let’s wrap it up
Remain wary of Ransomware attacks like the one Kaseya suffered, and use our world-class Cyber security products. A strong internet security software suite from Imagine IT can help block ransomware attacks.