While 2020 will surely be remembered as the year of the pandemic, it’s quite possible that 2021 will be remembered as the year of ransomware too. Ransomware attacks seem to be running amok through 2021 and almost daily occurrences have been reported. Ransomware is a type of malware that blocks access to a company’s files until a ransom is paid. The ransomware typically encrypts your files rendering them inaccessible until a ransom is paid and the attacker delivers a key that can decrypt the files. Ransomware attacks are often spread using a Trojan that is disguised as a legitimate file that a user is tricked into running from an email attachment or website.
Following hot on the heels of the infamous east coast Colonial Pipeline and the JBS Meatpacking ransomware exploits over the 4th of July weekend, there was a Kaseya software supply chain attack that hit up to 1500 companies. Kaseya has an international headquarters in Dublin, Ireland and the company’s US headquarters is in Miami, Florida. The latest Kaseya attack is notable as Kaseya supports Managed Service Providers (MSPs) who in turn support many small and medium-sized businesses.
Kaseya provides a unified remote monitoring and management tool called VSA that enables MSPs to manage the IT for remote businesses making it a central part of a wider software supply chain. Kaseya reported that approximately 60 of its VSA customers were compromised. Those customers supply IT management services to other businesses and they passed the malware on to approximately 1,500 other organizations. Security experts believe the attack was triggered by an authentication bypass vulnerability in the Kaseya VSA web interface which allowed the attackers to circumvent authentication controls. This allowed them to establish an authenticated session in order to upload malicious software and execute commands.
The ransomware group REvil claimed responsibility for the attack and initially demanded a $70 million payment in Bitcoin for a “universal” decryption tool. At this point, Kaseya has not stated whether they will pay the ransom or not. Somewhat ironically, the offer of a universal tool reflects the problems REvil would have in needing to separately negotiate with 1500 different potential victims.
In a July 5th statement Kaseya said that a fix to prevent this attack has been developed. They have also released a new, free comprise detection tool that customers can use to check networks and computers. However, for many of those companies that that have been hit it’s time to dust off the disaster recovery (DR) plans.
Protecting Against Ransomware with Planning and DR
While you could just pay the ransom, and in many cases that will work, there’s no guarantee that your files and services will be restored. Plus, there’s nothing to stop the attacks from happening again. DR is one of the essential pillars of protection from ransomware attacks that can help your company to avoid and recover from ransomware attacks. Effective protection from ransomware requires: