JJust when you thought ransomware demands had already redlined the ludicrous gauge, the needle got pushed even further. This time, the main target was an IT solutions software provider named Kaseya. Kaseya has an International headquarters in Dublin, Ireland, a US headquarters in Miami, and a presence in 10 countries. They provide software for Managed Service Providers (MSPs) who service thousands of small to medium sized businesses (SMBs), which allowed the fingers of this ransomware attack to reach an estimated 800 to 1500 of the companies relying on MSPs using Kaseya’s software. The attack was launched on July 2, 2021 (the Friday before the 4th of July holiday weekend), by a well-known organized ransomware group called REvil based out of Russia who were most recently in the news for the JBS ransomware attack that saw them paid off to the tune of $11 million.

How Did the Hackers Do it?

By leveraging a Zero-day exploit of the server platform, REvil managed to compromise Kaseya’s VSA (Virtual Storage Appliance) servers and the VSA agents their clients use to service their customers. This was a homerun for REvil on a few fronts.

Most importantly, they got their foot in the door at a hub, Kaseya, that had a trusted status and a connection straight to thousands of companies through their software. Due to that trusted status, it allowed REvil to use a trusted channel to deliver their malicious payload directly to thousands of companies by bypassing any anti-malware solutions because of the exclusions Kaseya’s software requires of clients when they install the VSA agents needed to receive their MSP’s services. And as if to rub salt in the wound, REvil dropped their payload by pushing a security update to all of Kaseya’s VSA agents in the field named "Kaseya VSA Agent Hot-fix." Since REvil got in through a trusted channel, their payload was basically whitelisted, which means no alarms, no notifications, nothing – completely under the radar and undetectable. The whole attack went unnoticed until it was too late for everyone involved - Kaseya, and their clients.

They Want How Much?

When REvil demanded a $50 million dollar from Apple after a successful attack on one of their main suppliers, Quanta, back in April (the word is mum on if or what they actually paid), heads were exploding across the corporate world. REvil then cracked computer manufacturer Acer in April as well, with another $50 million dollar ransom demand. Then in May, the Colonial Pipeline paid up $4.4 million (thankfully, over $2 million has since been recovered by the FBI). May also saw the global meat processing giant JBS cough up $11 million to REvil to get their systems back up and running. This time, the demand from Kaseya is a whopping $70 million in Bitcoin! What’s really crazy is it seems REvil may be having trouble keeping up with their own explosive success trajectory – it’s hard to track and move all that money without getting caught and losing their bounty. So this time, instead of going through the hassle of extorting all the individual companies compromised in the Kaseya attack one by one, they are going for a blanket agreement.  For $70 million, they will give up the decryption keys for everyone infected. Time will tell how this story ends.

There’s Nothing Arbitrary About the Timing of These Attacks

Make no mistake, these ransomware attacks are not happening on days chosen by throwing a dart at a calendar, they are happening at times when IT departments are most lightly staffed. The Colonial Pipeline attack was Friday, May 7. During Memorial Day weekend, JBS was hacked. Now on the Friday heading into the 4^th of July weekend, Kaseya goes down. The point we’re making is Fridays and holidays are prime time, you can’t let your guard down.  And if you receive a notification on the weekend or a holiday, take it seriously and react right away. As ridiculous as it sounds, calling your weekend cleaning crew and telling them to destroy your router with a mop is even a better play than ignoring it and doing nothing.  Time is on the hacker’s side at that point, not yours, so respond accordingly. The best course of action, obviously, is to immediately contact a capable and proven Emergency Incident Response team so they can spring into action as quickly as possible to minimize the damage and thoroughly investigate the incident to determine the what, where, when and how bad of the event.

GDF Can Help

GDF’s vulnerability assessments and penetration tests are designed to see where your cybersecurity posture stands right now.  We will review policies and procedures to identify patch management issues, use threat signature databases updated to detect these latest threats during our testing, test for existing intrusions/compromises, and we can help you in multiple ways from an Emergency Incident Response perspective, from helping you create/review/maintain an effective Emergency response plan, to being able to get boots on the ground to respond to your breach or intrusion with our Emergency Response Teams strategically positioned around the country to give you unrivaled response times.  We even have remote options available using agents which can be remotely deployed across tens of thousands of endpoints enterprise-wide in as little as two hours, with all the components being up and running withing 24 hours. Once a threat is detected, the network is analyzed and the unique automated response and cross-system remediation capabilities spring into action – remediating the threat in real time. Your system will also be constantly monitored by a 24/7 SOC team and be constantly updated with front-line security intelligence to ensure rapid response. For our Vulnerability assessment and penetration testing clients, we also offer no retainer SLAs (Service Level Agreements) so you can have GDF waiting in the wings to respond to your emergency without having to pay anything if no emergency incident occurs, since we will already be intimately familiar with your unique cybersecurity posture and requirements from our assessments and testing.

So call GDF at 1-800-868-8189 today, or fill out the form below and we’ll contact you, and let’s get started.

*Global Digital Forensics is a recognized industry leader in the fields of computer forensics, cybersecurity and emergency incident response, with years of experience assisting clients in the government, banking, legal, healthcare, education and corporate arenas. For a free consultation with a Global Digital Forensics specialist, call 1-800-868-8189 about tailoring a cost-effective plan which will meet your unique needs, without wasting resources on solutions you simply don’t need. Emergency responders are also standing by 24/7 to handle intrusion and data breach emergencies whenever and wherever they arise. Time is critical if a cyber incident has occurred, so don’t hesitate to call 1-800-868-8189 for immediate help. For more information, visit GDF's cybersecurity page.