Last week, hackers gained access to an information technology firm and deployed a ransomware attack, stealing data from over a thousand businesses involved and demanding $70m in payment for its return.

The Kaseya hack is already being referred to as “the biggest ransomware attack on record,” affecting hundreds of businesses globally, including supermarkets in Sweden and schools in New Zealand.

Cybersecurity teams have been working round the clock to regain control of the stolen data while the Biden administration decides how to react.

Companies who use Kaseya’s systems are being warned to watch out for phishing emails that contain malicious links and attachments disguised as updates.

“Hackers understand the art of leverage. No leverage, no ransom settlement. This is why they target infrastructure.”

Neil Gurnhill, CEO of Node International

What happened?

Hackers infiltrated Kaseya, a managed service provider based in Florida, accessed its customer data and demanded a ransom for the data’s return.

Kaseya provides remote IT management software, usually for small companies without their own tech departments. Their customers rely on Kaseya to send them regular updates to ensure the security of their systems. However in a recent update safety features were destabilised in order to push out malicious software to customers’ systems.

Neil Gurnhill, CEO of Node International and cybersecurity expert, explains why hackers chose to target Kaseya, attacking the companies that used their services through a trusted channel.

“Hackers understand the art of leverage. No leverage, no ransom settlement. This is why they target infrastructure. This environment gives them a ton of leverage meaning the probability of their ransom demands being met is far higher.”

Who was impacted?

Between 800 and 1,500 businesses were negatively impacted by the hack, although independent researchers suspect it’s closer to 2,000. There are at least 145 victims in the US, according to Sophos Labs, including local and state governments and agencies as well as small and medium-sized businesses.

Joe Biden said that while a number of smaller US businesses might have felt the effects of the hack, not many domestic companies had been affected.

“It appears to have caused minimal damage to US businesses, but we’re still gathering information,” Biden told reporters following a briefing from advisers. “I feel good about our ability to be able to respond.”

The disruption has been more impactful in other countries. In Sweden, hundreds of supermarkets had to close when their cash registers were rendered inoperative and in New Zealand, many schools and kindergartens were knocked offline.

“Through no fault of your own, if your 3rd party provider has an issue you are on the hook for all relevant corrective measures and possible liabilities.”

Neil Gurnhill, CEO of Node International

Who are the hackers?

Affiliates of the Russian hacker group REvil have claimed responsibility for the attack. Just weeks ago, REvil were also responsible for the major ransomware attack on JBS, a global meat producer, crippling the company and its supply until it paid an $11m ransom.

REvil has quickly become a full-scale operation, offering “ransomware as a service” and even offering customer service hotlines to assist victims in paying ransoms.

Gurnhill said: “Cloud environments and SAAS have brought unquestionable benefits to organisations IT infrastructure and security resilience. However, this means they are reliant on the provider that they have zero insight or influence over.

Also through no fault of your own, if your 3rd party provider has an issue you are on the hook for all relevant corrective measures and possible liabilities.”

What happens next?

Kaseya’s chief executive officer, Fred Voccola, told Reuters he could not confirm whether Kaseya would pay the $70m ransom, negotiate with the hackers for a lower cost or refuse to pay completely. 

Gurnhill explained that while this is a staggering number, the highest cyber ransom demand we’ve ever seen, ransoms are not a new concept. 

“Historically the largest ransom ever paid was for Atahualpa, the last emperor of the Incas, to the Spanish conquistador Francisco Pizarro in 1532-3 which constituted a hall full of gold and silver, worth in modern money $1.5 billion.”

Nowadays, ransoms are paid in bitcoin and instead of emperors it’s often data and access to vital systems that are being held to ransom.

“Spammers are using the news about the Kaseya Incident to send out fake email notifications. These are phishing emails that may contain malicious links and/or attachments.” Kaseya

In addition to the attacks by REvil on Kaseya and JBS in recent weeks, another Russia-linked group in May attacked the US fuel transporter Colonial Pipeline.

As attacks escalate, the Biden administration has discussed its domestic and international responses. The White House press secretary, Jen Psaki, said “As the president made clear to President Putin when they met, if the Russian government cannot or will not take action against criminal actors in Russia, we will take action or reserve the right.”

She also said that senior US officials would meet their Russian counterparts next week to discuss the ransomware problem.

Watch out for fake updates

Now, Kaseya is warning their customers that an ongoing phishing campaign attempts to breach their networks.

Kaseya issued an alert saying: “Spammers are using the news about the Kaseya Incident to send out fake email notifications that appear to be Kaseya updates. These are phishing emails that may contain malicious links and/or attachments.”

“Do not click on any links or download any attachments claiming to be a Kaseya advisory. Moving forward, Kaseya email updates will not contain any links or attachments.”

The phishing emails warn victims that they should “install the update from Microsoft to protect against ransomware as soon as possible. This is fixing a vulnerability in Kaseya”, according to a blog post by Malwarebytes.

Avoid these emails and always go to the source, Kaseya’s website or contact number.

Find the latest release here.

The lastest update – 04/08/2012

Kaseya has released a statement saying they didn’t pay the $70m ransom demanded by hackers and have acquired a third-party decryption key. 

“As such, we are confirming in no uncertain terms that Kaseya did not pay a ransom – either directly or indirectly through a third party – to obtain the decryptor.”

Kaseya has been providing the decryptor to their customers to help recover their encrypted data.

“The decryption tool has proven 100% effective at decrypting files that were fully encrypted in the attack.”

 

Interested in Cyber Insurance?

Privacy Settings
We use cookies to enhance your experience while using our website. If you are using our Services via a browser you can restrict, block or remove cookies through your web browser settings. We also use content and scripts from third parties that may use tracking technologies. You can selectively provide your consent below to allow such third party embeds. For complete information about the cookies we use, data we collect and how we process them, please check our Privacy Policy
Youtube
Consent to display content from - Youtube
Vimeo
Consent to display content from - Vimeo
Google Maps
Consent to display content from - Google
Spotify
Consent to display content from - Spotify
Sound Cloud
Consent to display content from - Sound