The average ransomware attack caused $1.85 million in losses to the company in 2021, up 41% from 2020. This estimate factors in  the amount paid, downtime, expense for IT technicians, device cost, network cost, lost opportunity, and more. Leadership turnover is another cost that few companies consider; after a ransomware attack, 32% of C-level employees leave. Also, 80% of targeted organizations are re-attacked.

What is Ransomware?

Malicious software, known as “malware,” encompasses all computer-harming software like Trojans and viruses. These attacks take advantage of weaknesses in people, systems, networks, and software to infect a victim’s computer, printer, smartphone, wearable, or other endpoints. Ransomware is a type of malware that uses encryption to lock a user out of their files, then demands payment to unlock and decode it. Instructions on the amount and how to pay are displayed, generally ranging from a few hundred to thousands of dollars in Bitcoin. The attacker often gives the target a limited amount of time to make a payment before all data is destroyed. today.

Ransomware attack

Kaseya’s VSA Mass Ransomware attack

Ransomware attack-Kaseya-databrackets infographics

Kaseya VSA is an RMM (Remote Monitoring and Management) system that keeps tabs on your network from afar. Managed service providers use it to manage their customers’ computers, servers, networks, and related infrastructure, including email, phones, firewalls, switches, and modems. Endpoints, such as client workstations and servers, have the RMM agent installed.  This program allows MSPs to manage and monitor their platforms from a single location, saving time and money.

Kaseya serves 35,000 companies. These include 17,000 managed service providers, 18,000 direct or VAR (Value-Added Reseller)  customers, and many end users at their supported enterprises.

The number of companies using Kaseya software and the potential levels of access have made this one of the most popular targets for ransomware attacks. Threat actors who target Kaseya VSA have a vast attack surface.

The Attack

What happened to Kaseya?

In July 2021, the REvil ransomware gang used Kaseya VSA remote monitoring and management software to lock up 50 to 60 MSPs and their clients.

Who was affected by the attack in Kaseya?

The Kaseya ransomware attack hit over 50 MSPs and between 800 and 1500 businesses.

Consider that these 37,000 customers are only 0.001 percent of Kaseya’s total. This may seem to be a small number, but when one managed service provider (MSP) is breached, it has a knock-on effect on all the apparent other businesses it serves. The impact can quickly spread if it were to gain momentum, and reports have shown that it can take weeks or months for the full effects of an attack to become apparent.  The initial fifty managed service providers (MSPs) could quickly balloon into the hundreds, and affected companies can easily grow into the thousands.

Does anyone know who launched the Kaseya cyberattack?

The ransomware attack on Kasyea was carried out by the REvil RaaS group, also known as Sodinokibi.

Ransom-as-a-Service (RaaS) groups of the criminal underworld let anyone who wants to hold a company for ransom use their services. This group is responsible for around 300 ransomware campaigns every single month. The key driver is financial motivation.

The Trigger

What Was the Root Cause of the Kaseya Cyber Attack?

REvil used zero-day exploits to get into Kaseya’s VSA Software as a Service (SaaS) platform and spread malicious software to its customers and systems. Ransomware actors then exploited the weakened systems to encrypt all data.

Kaseya’s managed service provider (MSP) customers have the Kaseya VSA agent (C: Program Files (X86)KASEYAID>AGENTMON.EXE) installed on their computers.

This component is accountable for retrieving data from remote Kaseya servers. This agent pulls from Kaseya’s cloud servers.

Threat actors circumvent security by signing malware. Malware installers mask themselves as Kaseya traffic. Kaseya’s platform signed the virus because it’s wrapped in it. Thus, malware can bypass all protections on clients’ systems.

Huntress and others in the industry say that the Ransomware attack chain included bypassing authentication, letting files be uploaded without control, and running code from afar.

How did hackers get the information to overcome authentication?

After exploitation, the first malicious request was made to the public-facing file /dl.asp.

This file had an authentication logic problem. The end user could connect with a valid Kaseya agent GUID but no password. Without a password, the actor might access further authentication-required services.

The attack analysis showed malicious access with a unique agent GUID. The threat actors merely knew agent GUIDs. No logs showed failed attempts.

How did threat actors get a unique Agent GUID?

The agent GUID is a random 15-character string unrelated to the hostname. The event logs showed no Agent GUID or display name brute-forcing attempts.

There may be a few alternatives.

  1. A valid Agent GUID has been anticipated by the threat actors
  2. Threat actors created a “rogue” agent with a new agent GUID.
  3. Threat actors stole an agent GUID from a VSA agent-running host.
  4. Other vulnerabilities leaked Agent GUIDs
  5. Agent GUIDs and display names were publicly available.

If the threat actor only had Agent GUIDs, it would be tougher to match them to the organization.

What are the indications of compromise?

A collection of these technical details and Indications of Compromise (IOCs) has been made available by Kaseya. This list includes network, endpoint, and weblog indicators.

The Response – Aftermath

Didn’t Kaseya Close Everything?

Kaseya disabled the VSA SaaS platform so its customers wouldn’t be exposed to malware.  Then, they enlisted the support of the FBI, the CISA, and third-party suppliers like Huntress and Sophos to deal with the problem. The corporation has also assumed the duty of communicating this information to its clients. MSPs themselves have a responsibility to inform their clients about the attack. Part of this process is actively looking for the signs of compromise that Kaseya has shown. After spotting the threat, Kaseya shut down their VSA SaaS platform and directed clients to shut down their on-premises servers at 1400 ET. This might explain why so few VSA customers were affected by a vulnerability that was so big and widespread.

Did Kaseya pay the ransom?

Kaseya denies paying the REvil cybercrime organization as it distributes a ransomware decryptor. Kaseya announced on July 22 that it had gotten a decryption tool from a “third party” and was working with Emsisoft to restore affected organizations’ environments. The update sparked speculation about the identity of the unnamed third party, with Allan Liska of Recorded Future’s CSIRT team speculating that it was a disgruntled REvil affiliate, the Russian government, or Kaseya themselves who had paid the ransom.

On July 13, REvil’s dark web domains stopped working, which supports the idea that the universal decryptor key was given to law enforcement. The cybercrime group initially asked Kaseya for $70 million but lowered its price to $50 million. Kaseya said, “the decryption tool has proven 100% effective at decrypting files that were entirely encrypted in the attack.”

What Are the Payment Terms for Ransomware?

The ransom demanded from each victim ranges from $50,000 to $5 million.

However, there is also a $70 million master key available as part of a bundled deal paid in Bitcoin.

 

Has there ever been a larger ransomware attack than this one?

The criteria for the “largest” ransomware assault include the following three elements, which are also factors to consider when negotiating a ransom:

  • Ransom demand
  • Number of systems affected
  • Total damage

WannaCry was the biggest ransomware attack in terms of how many computers were affected. It affected 230,000 machines in 150 countries, but the total ransom was only $130,000. Experts in cyber security have put the cost of the WannaCry assault anywhere from the hundreds of millions  in July 2021, including a multinational software company called Kaseya. The department also said that it had seized $6.1 million in funds that may have been used to pay a ransom to Yevgeniy Polyanin, a Russian citizen who is 28 years old and is accused of using Sodinokibi/REvil ransomware attacks on multiple businesses and government agencies in Texas on or around August 16, 2019. According to the accusations, Vasinskyi and Polyanin infiltrated the internal computer networks of many victim companies and encrypted their data with Sodinokibi/REvil ransomware.

Lessons Learned

How can businesses safeguard themselves against or lessen the impact of Ransomware?

Most ransomware attacks can be avoided or minimized by

  • Implementing user education and training
  • Automating backups
  • Minimizing attack surfaces
  • Developing an incident response plan
  • Investing in an EDR tool and MDR
  • Purchasing ransomware insurance
  • Storing physical and remote backups
  • Implementing zero-trust security

It’s important to have both local and remote backups, since backups stored in the cloud can also be attacked. Attacks like Kayesa can cause less damage when there are business continuity plans and regular backup testing.

Zero-Trust should be implemented.

Zero-trust security can mitigate ransomware attacks. Unlike traditional models, zero trust views the entire world as its boundary. All communication must happen between me (the program), my computer (the user), and myself (the user). You can modify the channels through which they can communicate and the privileges they have when doing so. In a zero-trust setting, the attacker has much less space to move around, no matter how they got into your system in the first place.

How can databrackets help you?

To secure data, apps, and networks from increasingly complex assaults, many organizations use Managed Security and Compliance Services, which include SIEM, incident handling, and Threat Intelligence.

The Managed Security and Compliance services from databrackets will check your organization’s readiness for security and find any weaknesses to protect them.

Contact us to learn more about how our services and specialists can help your company defend against security threats and attacks.

Last Updated on December 21, 2022 By Srini KolathurIn cybersecurity, VAPT