On July 2, 2021, a ransomware gang (REvil) likely located in Eastern Europe or Russia deployed a ransomware attack on a remote monitoring and management software product called VSA, developed by Kaseya, an IT management software company. By unleashing ransomware that exploited zero day vulnerabilities in this software, this ransomware gang impacted about 1,500 businesses.
We’ve distilled a few of the most important points about this ransomware attack along with what you can do to protect yourself from future attacks, even if this particular attack doesn’t directly affect you.
Kaseya Ransomware Attack Facts
- Only Kaseya customers that use VSA’s on-premise version of the software were affected by the attack: According to Kaseya, only about 60 customers were impacted by the ransomware attack. However, about 40 of those customers were managed service providers (MSPs) who deploy VSA to clients for monitoring and managing their IT systems. Luckily, the scope of the attack was limited to businesses that had the software installed on physical servers located on their premises. Businesses using the cloud version of VSA were unaffected.
- No critical infrastructure was impacted: Unlike previous major cyberattacks (such as SolarWinds or Colonial Pipeline), no critical infrastructure was impacted by this attack. The most significant impacts included Coop (a major grocery store chain in Sweden) and schools in New Zealand.
- While this is the largest ransomware attack in history, its impact was limited: Obviously, as the largest ransomware attack in history, this attack is concerning and could serve as a precursor to deadlier attacks in the future. However, this attack’s damage was limited and did not have a devastating national security, economic, or societal impact.
- This attack did not originate with a phishing email: Usually, ransomware attacks begin when a user clicks on a malicious link or attachment in a phishing email. This was a sophisticated attack that did not need a phishing email to succeed.
- REvil was also responsible for the JBS S.A. cyberattack in May: JBS S.A. is a global multibillion dollar meat processing company that was forced to cease operations at many of its slaughterhouses, leaving thousands of workers unable to work. The company ended up paying an $11 million ransom to REvil.
While the Kaseya cyberattack did not impact any VC3 clients, it is an example of how ongoing cybersecurity threats continue to make national headlines and devastate organizations. Because you never know what the next attack will bring or how it will occur, it’s good to review some lessons from this attack that may help you fend off the next ransomware attack on your organization.
- Perform independent security testing on any software tools running in your environment: VC3 performs its own security testing against our tools to minimize the chance of a tool being compromised. Never assume that third-party tools are automatically secure. Independently verify.
- Hold vendors to strict security standards: Third-party vendors are more vulnerable than ever today. As in the case of VSA, many cybercriminals will attack the supply chain in order to find a way into your network. VC3 holds its vendors to strict security standards to minimize the risk that their code is compromised (similar to what happened during the Kaseya or SolarWinds incidents).
- Deploy EDR in your environment: This most recent cybersecurity incident further enforces the critical importance of EDR, which we began to roll out to clients last month. Focused on a single “endpoint device” (such as a server or computer), EDR looks for security threats that may have already gotten inside your devices by watching for behavior and activity that looks suspicious.
- Back up your data: A data backup and disaster recovery solution is essential when waves of cyberattacks constantly barrage organizations. Not only should you have data backup to account for both small incidents (like a server failure) and major disasters (such as ransomware), but you should also “air gap” your backup. That means to make sure your data backup exists in a place physically disconnected from your network. Otherwise, a cybercriminal with access to your network can find and infect your data backups too.
- Keep software patched: Whether cloud or on-premises software, you need to stay up on software patching. True—the Kaseya cyberattack exploited a zero day vulnerability for which a patch did not exist. However, staying up on software patching is important when cyberattackers decide to exploit known vulnerabilities, as they did with Microsoft Exchange back in March.
- Use multi-factor authentication (MFA): Provide MFA at all access points to your network such as remote access software, email, VPN, cloud services, etc. MFA requires another step (such as inputting a code sent to your phone) that makes it difficult for a hacker to enter your systems.
- Set strong user access and authorization policies: In a recent blog post, we discussed best practices such as establishing clarity around business access needs including specific people’s needs to access data (such as following the principle of least privilege). You should also have strong password policies and work with your IT provider to monitor and control user accounts.
While there is no way to ensure an organization will never be breached, VC3 continues to invest in tools and resources to minimize the risk—keeping organizations and their data secure. As cyber threats continue to evolve, we continue to diligently work to stay ahead of the cyberattackers and provide tools that are consistent with guidance from industry best practices as well as the highest levels of the federal government.
If you have any questions about the Kaseya ransomware attack or want to talk about your cybersecurity needs in an ever-changing, ever-evolving environment, reach out to us through the form below.