What Happened in the Kaseya Ransomware Breach That Impacted So Many Companies

It seems as if there’s no shortage of ransomware news. At the beginning of May, there was a major attack on Colonial Pipeline that caused widespread shortages of gas across the East Coast due to the pipeline being shut down for six days.

Then, over the Memorial Day weekend the world’s largest supplier of beef and pork, JBS, was hit with ransomware and had to shut down several plants in the US and other countries for multiple days.

Both of those attacks were on single companies. But as we saw, if just one company is hit, it can have a ripple impact on thousands.

The latest attack and one that had a one-to-many was the one on remote software provider Kaseya. The Kaseya ransomware attack resulted in a flood of companies being impacted. Instead of just one company being infected with ransomware, it was hundreds to thousands in this case. 

It’s important to know exactly what happened so you can use that information to inform your IT security measures and ensure you’re not part of the next major ransomware news story.

The Kaseya Ransomware Attack: What Happened?

On July 2nd, IT solutions developer Kaseya was hit with a ransomware attack. The attackers were believed to be the same Russia-linked REvil ransomware-as-a-service group.

What made this attack more dangerous than one that hits a single company is that Kaseya makes a tool that managed service providers (MSPs) use for remote monitoring and management of their business clients.

Each of those MSPs had several business clients, which allowed the ransomware to spread rapidly throughout the network. Even though Kaseya says that fewer than 0.1% of its customers were impacted (about 30), it’s estimated that between 800 to 1500 small to mid-sized companies were infected that used managed services provided by Kaseya’s MSP customers.

So, this instituted a major ripple effect because it was a software vendor that was attacked and a vulnerability in its application was exploited.

The attack on Kaseya targeted the company’s VSA software, which is the unified remote monitoring and management tool it provides to MSPs. 

When this attack happened, Kaseya reacted swiftly and urged its MSP clients to shut down their VSA servers to prevent the risk of a spread to other companies. On its webpage providing updates on the attack, the company stated, “Kaseya’s VSA product has unfortunately been the victim of a sophisticated cyberattack.   Due to our teams’ fast response, we believe that this has been localized to a very small number of on-premises customers only.”

By July 5th, about 3 days later, Kaseya developed a patch for the vulnerability and issued that as soon as it completed testing.

Supply Chain Attack

The attack was described as a supply chain attack because it was designed to impact more than a single victim and leveraged a vulnerability in software that was used to connect to thousands of other computers by Kaseya customers.

The vulnerability involved the bypass of an authentication system in the Kaseya VSA web interface. This allowed hackers to gain the authentication needed to upload ransomware to the on-premises servers running the VSA software.

The exploit was deployed using a fake management update.

Kaseya noted that no SaaS customers were impacted, it was only those running the on-premises version of their software. 

How Can You Protect Your Company from Ransomware?

The Kaseya breach is just another example of the damaging impact of ransomware. This type of malware has become quite lucrative for criminals and state-sponsored groups because a majority of companies end up paying the ransom.

In 2020, 68% of U.S. ransomware victims paid the ransom to the attacker.

Here are ways you can ensure your business is properly protected from ransomware.

Ensure All Data is Backed Up & Check Your Backup

Make sure you have a reliable backup and recovery system in place and check your backup regularly. Backups can fail for many reasons if they’re not monitored. You don’t want to find out during an attack that you only have part of your data.

Create & Practice a Ransomware Response Plan

Many of those companies that end up paying the ransom to attackers have no ransomware response plan. Thus, they have no game plan to execute to remediate the attack as fast as possible. They end up at the mercy of the attacker. 

A ransomware response plan can ensure that your team springs into action and knows exactly what to do in the case of an attack. 

One thing that helped mitigate the attack damage, which could’ve been much worse, was that Kaseya acted swiftly to take the software offline and contact all its customers telling them to do the same.

Institute Strong Phishing Protection

Many ransomware attacks happen as a result of phishing. An unsuspecting employee clicks on a fake email and ends up triggering an attack unknowingly. 

Keep phishing at the top of your IT security list and put protections in place, such as:

  • DNS filtering
  • Email filtering
  • Antivirus/anti-malware
  • Proactive zero-trust network security
  • Ongoing employee awareness training

Is It Time for an IT Security Assessment?

IT security needs to be assessed regularly to ensure your safeguards are keeping up with the latest threats. Onsite Techs of Rhode Island can help you with a full assessment and let you know if we spot any potential security vulnerabilities. 

Contact us today to schedule a consultation at 401-773-7766 or book a video call now.