Lessons Learnt from the Kaseya Ransomware Attack

Mark Bird
Mark Bird

Head of Cyber Incident Response, Pragma

Share on linkedin
Share on twitter
Share on facebook
Share on email

The recent ransomware attack on Kaseya has resulted in over 1000 companies in their software supply chain being attacked with ransomware. We have summarised what you need to know about the attack and shared insights from our Cyber Incident Response Team in this article.

About Kaseya
Kaseya is an IT solutions developer used by around 40,000 customers worldwide, primarily consisting of Managed Service Providers (MSPs) and small-to-medium sized businesses (SMBs) to manage their IT environments such as IT automation, patch management, anti-virus, software deployment and other security services.

What happened in the ransomware incident?

Kaseya’s services require clients to run on-premises servers within their network. Endpoints in the network are managed by Kaseya Virtual Storage Appliance (VSA), which allows a Virtual Machine (VM) to create a shared storage solution, without investing in additional hardware and has been gaining popularity due to cost savings and increased availability.

On the 2nd of July 2021, Kaseya was informed that customers experienced unusual behaviour on endpoints managed by the Kaseya VSA server and several machines were subject to a ransomware attack.

The indication was that Threat Actors exploited a zero-day vulnerability on the customer-run on-premises servers. This means that the vulnerability had not previously been seen, although, since the incident, there are reports that this vulnerability had been reported several years earlier.

The Threat Actor: REvil Group
The REvil group claimed responsibility for the incident and set the ransom at $70 million in bitcoin cryptocurrency in exchange for a universal decryptor.
Little is known about REvil as they are a criminal organisation that maintains their anonymity for obvious reasons, however, they are believed to be based in Russia because they do not actively target victims in Russia.
REvil provides ransomware as a service which means that rather than spending all their time launching their attacks, they lease out their expertise and infrastructure to other criminals, giving even those without technical ability a means to profit from ransomware. In return, REvil takes a dividend of the paid ransom.

Another SolarWinds Attack?
The Kaseya attack is reminiscent of the SolarWinds supply chain attack where the malicious threat actor launched remote code executions, leading to the launch of ransomware endpoint machines. Data at many organisations was left encrypted with no ability to access the data. The Kaseya attack is reminiscent of the SolarWinds supply chain attack where malicious code was injected into the software and sent out to unknowing clients—to whom it appeared to be a legitimate software update.

What is a Software Supply Chain Attack?
A software supply chain attack is an attack on a third-party software service provider by injecting malicious into the software. Then, usual software updates bundled with ransomware are sent out to customers thereby, leaving them vulnerable. Rather than infiltrating an organisation directly, a supply chain attacker exploits the trusted access a third party has with the organisation. The attacker then gains a foothold of a pool of targeted organisations rather than just one organisation. It is worth mentioning that there is mixed opinion whether the Kaseya incident is a supply-chain attack as a lot of information suggests that this was a vulnerability in VSA servers that was exploited by attackers.
The attackers used a code injection into Kaseya’s updates that were pushed out to its clients, resulting in the compromise. This was different as there was an unknown vulnerability in the servers that was already running in the clients’ environment and exploited. Thus, leaving them vulnerable and leaving them with many devices encrypted with large amounts of data unavailable.

Exploits about a zero-day security vulnerability

A zero-day exploit is simply one that has never been seen or reported before. Normally, when a vulnerability is identified, it is publicly registered and given a Common Vulnerabilities and Exposures number (CVE) and patched to remove the vulnerability. Essentially in the Kaseya incident, it is reported that the vulnerability had not been seen before and existed in the on-premises servers.

What is the impact of the Kaseya attack? 

The Kaseya incident caused widespread damage to clients who considered their cybersecurity a priority. The incident caused the compromise of servers resulting in compromised endpoint machines that were managed by those servers, leaving many victims affected through little or no fault of their own. It is estimated that the attack has impacted almost 1500 organisations, infecting over 1 million devices. Kaseya’s estimates of impacted businesses are even higher. 

What could Kaseya have or not have done to reduce the impact of the incident?

There are many articles available on this matter, including recent articles from cybersecurity journalist Brian Krebs that indicate that Kaseya was made aware of the vulnerability in 2015, but we are not aware of the details of what Kaseya did, or how they could have protected themselves better. However, going forward all Kaseya customers should ensure that they install the most recent updates. It is a timely reminder for all users in all organisations to carry out regular patching of systems. This will ‘patch’ or repair vulnerabilities and keep you more secure.

What types of businesses are the most vulnerable to zero-day? How do you avoid them?

Everyone is vulnerable to a zero-day vulnerability. 

A zero-day vulnerability could be present in a piece of software that we use commonly and we could all be exploited. The best way to protect yourself is to try to use only the software that you need to fulfil your business objectives, enforce the principle of least privilege, and ensure that you patch regularly to remove vulnerabilities as soon as they are identified.

The Windows PrintNightmare zero-day vulnerability was identified at around the same time as Kaseya, which had the potential to affect far more users. This reminds us that we are all vulnerable to similar vulnerabilities.

Do I need to be worried?

Research shows that this vulnerability is only present on Kaseya VSA on-premises servers, and therefore if you are not a Kaseya VSA user and do not have an on-premises VSA server then, there is no cause for concern.

What does Pragma recommend for your company when impacted by a Ransomware attack?

It is never recommended to pay a ransom. However, this is a hotly debated topic and it can depend heavily upon the circumstances. It is recommended to seek professional help if you are affected by this because even if you can decrypt your data in some way, there is still a root cause that needs to be identified, i.e., how did the attacker get into the network and launch the ransomware. If this ‘attack vector’ is not identified and closed, even if you can get your data back by payment or using backups, you may find yourself infected again.

At Pragma, we regularly investigate ransomware incidents and carry out detailed forensic analysis to identify the root cause of an attack and work closely with the client to contain and eradicate a threat actor.

If you are actively affected by a ransomware incident it is advisable not to turn off your computer but to isolate the machine from the network and seek professional assistance. Leaving the computer powered on will retain evidence that can be examined by forensic investigators.

The best way to deal with it is to exercise good cyber hygiene. Preventive measures are always cheaper than a cyber investigation.

  • Use a reputable Anti-virus.
  • Update software regularly and patch up vulnerabilities.
  • Use strong passwords and if possible, implement Multi-Factor Authentication (MFA) on all accounts.
  • Back up data regularly – including the operating system, applications, and data.
    • Follow the 3-2-1 backup rule, which stipulates that you have:
      • Three copies of your data, two backups and one production version
      • Two formats for your backup, network drive, external hard drive, cloud, etc.
      • Store one of those backups off-site, like in the cloud.
Mark Bird Author Banner