The recent REvil ransomware attack has affected at least 200 firms. REvil’s current ransomware campaign highlights the domino effect of security issues by first targeting an IT management solutions provider called Kaseya, then spreading to Kaseya’s customers, and eventually affecting at least 200 firms.
On July 2, Kaseya admitted to the attack. The company said it promptly took down its software-as-a-service (SaaS), notified on-premises customers, contacted “leading industry professionals in forensic investigations,” and reported the campaign to cybersecurity organizations.
Kaseya VSA is a cloud-based MSP platform that allows providers to perform patch management and client monitoring for their customers.
According to John Hammond of Huntress Labs, all of the impacted MSPs are utilising Kaseya VSA. They also have proof that their customers are being encrypted as well. While Kaseya investigates, all VSA customers are advised to shut down their VSA server immediately to prevent the attack from spreading. Hammon said:
We have 3 Huntress partners that are impacted with roughly 200 businesses encrypted.”
As per BleepingComputer‘s report, the attacks on MSPs appear to be a supply chain attack through Kaseya VSA. The attack was carried out through an auto-update.
Kaseya was testing a patch for the exploited vulnerability before making it available to its customers. This appears to be a matter of bad timing, as the REvil ransomware group beat Kaseya to the repair and used the same zero-day to attack managed service providers and their clients all over the world.
The organization posted a pay-out demand on its famed dark website, the Happy Blog. According to the post, the gang is seeking a payment of $70 million (about Rs 520 crore). This ransom will be in exchange for unlocking “more than a million systems.”
Significance of the attack
The ransom amount demanded in this attack is largest in history. If the victim fulfils the demand, this will be the largest ransom ever paid in response to a cyberattack. The Kaseya ransomware attack is also one of the largest known cyber-attacks to date. The attack’s scope is alarming in terms of the attack’s sophistication, scale, and the total cost that it may entail for businesses to recover and work around their encrypted data. Even if the ransom is not paid, this will still be true.
Biden Orders Investigation
President Joe Biden has directed US intelligence agencies to look into the REvil ransomware attack, which hit at least 200 companies utilising the Kaseya VSA platform. According to the Guardian, Biden wants to ascertain the Russian government’s involvement in the attack. He further stated that the US will respond if the attack is later linked to Russia.
Our original thought was it wasn’t the Russian government, but we’re not sure.”