What Businesses Need to Know About the Kaseya Ransomware Attack

Before it even started, the holiday weekend proved to be the opposite of relaxed for thousands of organizations as the world learned of the latest in a persistent string of massive ransomware events. 

While it will likely be weeks before the full scope of the damage becomes apparent, the Kaseya VSA attack has been confirmed to have infected at least 1600 businesses so far with ransomware. 

Here’s what you need to know about the Kaseya attack. 

The Kaseya attack is what’s known as a “supply chain attack.”

In a supply chain attack, cybercriminals compromise a software supplier with the intention of distributing malicious code downstream to all the organizations they supply. The nature of a supply chain attack means a company isn’t just vulnerable to the security flaws of their own suppliers, but even their suppliers’ suppliers.

The victims of the attack were almost entirely small businesses.

Unless an organization is very large and has the resources to employ an internal IT department, partnering with an MSP (Managed Service Provider) is almost invariably the best option. In this case, the targets were businesses whose IT service providers used Kaseya VSA software to provide IT management to clients. Among the victims are dozens of small law offices, including one in Level5’s South Florida service area. Medical practices, surgery centers, and dental clinics were affected, as well as at least one educational center and more than 800 stores within the Swedish Coop supermarket chain. Many have had to close temporarily, as the Coop stores did after being unable to open their registers. (Statistics tell us that a whopping 60 percent of businesses will close permanently within 6 months of a cyberattack or breach.

Kaseya is a South Florida based vendor of IT management software.

While a good Managed Service Provider handles all aspects of business technology, they don’t generally develop software. Instead, MSPs choose vendors to provide software, including the IT management software that allows them to effectively administer many business networks simultaneously. Kaseya is one of those vendors. Kaseya VSA, specifically, is a management tool used by some MSPs to control their clients’ systems.

The best Managed Service Providers — especially those who specialize in IT security — constantly scrutinize their suppliers.

In order to carry out the management function, this software needs critically important privileges. For example, it has to be able to perform updates, add and remove programs and users, and backup all data. But if it has any security vulnerabilities (as was the case with Kaseya), this kind of access can be manipulated to exploit information and encrypt data.

Ransomware has exploded with the rise of cryptocurrencies such as bitcoin.

Here’s how it works. The attackers get into your network, exploit your data, and leave a ransom note: the pop-up on your screen reads something like “Your computers and servers have been encrypted. All backups are deleted. To decrypt and restore everything, you must purchase a special decryptor from us.” The ransom payments are demanded in cryptocurrencies for two reasons. First, they’re exceedingly difficult to trace. Second, the transfers take place electronically without the assistance of banks or any other institutions regulated by governments.

The Kaseya attackers are affiliates of a Russian ransomware gang known as REvil.

Ransomware is big business, and the business model has exploded since Covid, with the average cost of ransom more than doubling in the last year. Ransomware gangs operate almost like fast-food franchises. In this case, REvil the brand headquarters that processes payments and provides the “customer service” for both the attackers and the victims. The gang affiliates can be thought of as the franchisees — they’re the “hackers” who actually execute the attacks under the “brand name.” REvil is one of the most well-known and prolific of the Ransomware gangs. 

The attackers are demanding a $70 million ransom.

To summarize, it appears that at least 60 IT providers that used the Kaseya tool to administer their clients’ networks were affected. These IT companies ran Kaseya VSA, which in turn ran on thousands of their client companies’ networks. To perform a mass decrypt, the criminals are looking for a collective payment of $70 million. As of July 7, the amount had been lowered to $50 million. Experts are fiercely divided on whether ransoms should be paid, unless (as is often the case) the company has no other hope of staying viable. But paying the ransom doesn’t guarantee you’ll get your data back, or that you won’t be ransomed again in the future. 

The Kaseya attack signals a dangerous trend in ransomware.

The IT security experts at Level5 have long been warning small and medium businesses that they’re an attractive target for cybercrime. Alarmingly, while most attacks and breaches actually victimize SMBs, research shows that most small business owners still think they’re too small to be a target. But this is precisely why they are. The tactics behind the Kaseya attack and other recent cyberattacks were tactics that had previously been thought to usually be reserved for well-resourced nation-state hackers. The new era of cyberattacks is here. 

An MSP is the best option for keeping SMBs protected.

A vigilant and top-rated Managed Service Provider like Level5 Management constantly scrutinizes vendors, helps to engineer a comprehensive and multi-faceted security plan, provides proactive 24/7 monitoring of threats, includes cybersecurity awareness training and connects clients to the right cyber insurance and ensures they meet the requirements to invoke the policy if needed. More than 35 percent of small businesses who use an internal IT department found that their in-house IT staff is simply too overextended to properly upgrade security systems. (What’s more, businesses that outsource their IT can expect to decrease their costs about 15 percent each year on average.)