The biggest global ransomware attack yet continued to bite Monday as details emerged on how the Russia-linked gang responsible breached the company whose software was the conduit. In essence, the criminals used a tool that helps protect against malware to spread it widely.
An affiliate of the notorious REvil gang, infected thousands of victims in at least 17 countries on Friday, largely through firms that remotely manage IT infrastructure for multiple customers, cybersecurity researchers said.
REvil was demanding ransoms of up to $5 million. But late Sunday it offered in a posting on its dark web site a universal decryptor software key that would unscramble all affected machines in exchange for $70 million in cryptocurrency. It wasn’t clear who they expected might pay that amount.
Victims of the Kaseya hack
A broad array of businesses and public agencies were affected, including in financial services, travel and leisure and the public sector — though few large companies, the cybersecurity firm Sophos reported.
Ransomware criminals infiltrate networks and sow malware that cripples them by scrambling all their data. Victims get a decoder key when they pay up.
Kaseya explained that ‘fewer than 60’ of its customers were impacted. But many of those customers are managed service providers managing the IT infrastructure for other businesses. Those 60 impacted customers translated to ‘about 800 to 1,500’ downstream businesses compromised, according to Kaseya.
What is the Biden Administration doing?
Biden suggested Saturday the U.S. would respond if it were determined that the Kremlin is at all involved.
On Sunday, Deputy National Security Advisor Anne Neuberger issued a statement saying President Joe Biden had “directed the full resources of the government to investigate this incident” and urged all who believed they were compromised to alert the FBI.
On Wednesday, Biden called top security officials into the situation room to discuss the recent cyberattacks. He says the damage done in the Kaseya breach is minimal, but he has a wide range of options if he decides to take action against hacking groups.
What is Kaseya doing?
Kaseya is working with law enforcement and government cybersecurity agencies in the US, including the FBI, and the Cybersecurity and Infrastructure Security Agency.
While SaaS services were expected to be brought back online, one by one starting with the EU, UK and APAC data centres on July 5, an update from Kaseya on July 7 (US time) said an ‘issue’ was discovered during the VSA SaaS deployment, blocking the release.
Kaseya recently sent an email saying “Spammers are using the news about the Kaseya Incident to send out fake email notifications that appear to be Kaseya updates. These are phishing emails that may contain malicious links and/or attachments.
Do not click on any links or download any attachments claiming to be a Kaseya advisory.
Moving forward, all new Kaseya email updates will not contain any links or attachments.”
So what can you do?
This Kaseya hack shows the importance of a defense in depth approach, given cyber security attacks can happen in a variety of ways.
Having a step-by-step plan will help you take control of the situation if the worst were to happen and will help reduce the impact on your business.
“Hope” is not a strategy! Make Sure You Are Brilliantly Prepared For A Cyber-Attack By Requesting A FREE Cyber Security Risk Assessment Today!