Anatomy of a Ransomware Attack and Lessons Learned

Anatomy of Kaseya ransomware attack and lessons learned : Zero Trust Security

The average ransomware attack caused $1.85 million in losses to the company in 2021, up 41% from 2020. This estimate factors in  the amount paid, downtime, expense for IT technicians, device cost, network cost, lost opportunity, and more. Leadership turnover is another cost that few companies consider; after a ransomware attack, 32% of C-level employees leave. Also, 80% of targeted organizations are re-attacked.

What is Ransomware?

Malicious software, known as “malware,” encompasses all computer-harming software like Trojans and viruses. These attacks take advantage of weaknesses in people, systems, networks, and software to infect a victim’s computer, printer, smartphone, wearable, or other endpoints. Ransomware is a type of malware that uses encryption to lock a user out of their files, then demands payment to unlock and decode it. Instructions on the amount and how to pay are displayed, generally ranging from a few hundred to thousands of dollars in Bitcoin. The attacker often gives the target a limited amount of time to make a payment before all data is destroyed. today.

Ransomware attack

Kaseya’s VSA Mass Ransomware attack

Ransomware attack-Kaseya-databrackets infographics

Kaseya VSA is an RMM (Remote Monitoring and Management) system that keeps tabs on your network from afar. Managed service providers use it to manage their customers’ computers, servers, networks, and related infrastructure, including email, phones, firewalls, switches, and modems. Endpoints, such as client workstations and servers, have the RMM agent installed.  This program allows MSPs to manage and monitor their platforms from a single location, saving time and money.

Kaseya serves 35,000 companies. These include 17,000 managed service providers, 18,000 direct or VAR (Value-Added Reseller)  customers, and many end users at their supported enterprises.

The number of companies using Kaseya software and the potential levels of access have made this one of the most popular targets for ransomware attacks. Threat actors who target Kaseya VSA have a vast attack surface.

The Attack

What happened to Kaseya?

In July 2021, the REvil ransomware gang used Kaseya VSA remote monitoring and management software to lock up 50 to 60 MSPs and their clients.

Who was affected by the attack in Kaseya?

The Kaseya ransomware attack hit over 50 MSPs and between 800 and 1500 businesses.

Consider that these 37,000 customers are only 0.001 percent of Kaseya’s total. This may seem to be a small number, but when one managed service provider (MSP) is breached, it has a knock-on effect on all the apparent other businesses it serves. The impact can quickly spread if it were to gain momentum, and reports have shown that it can take weeks or months for the full effects of an attack to become apparent.  The initial fifty managed service providers (MSPs) could quickly balloon into the hundreds, and affected companies can easily grow into the thousands.

Does anyone know who launched the Kaseya cyberattack?

The ransomware attack on Kasyea was carried out by the REvil RaaS group, also known as Sodinokibi.

Ransom-as-a-Service (RaaS) groups of the criminal underworld let anyone who wants to hold a company for ransom use their services. This group is responsible for around 300 ransomware campaigns every single month. The key driver is financial motivation.

The Trigger

What Was the Root Cause of the Kaseya Cyber Attack?

REvil used zero-day exploits to get into Kaseya’s VSA Software as a Service (SaaS) platform and spread malicious software to its customers and systems. Ransomware actors then exploited the weakened systems to encrypt all data.

Kaseya’s managed service provider (MSP) customers have the Kaseya VSA agent (C: Program Files (X86)KASEYAID>AGENTMON.EXE) installed on their computers.

This component is accountable for retrieving data from remote Kaseya servers. This agent pulls from Kaseya’s cloud servers.

Threat actors circumvent security by signing malware. Malware installers mask themselves as Kaseya traffic. Kaseya’s platform signed the virus because it’s wrapped in it. Thus, malware can bypass all protections on clients’ systems.

Huntress and others in the industry say that the Ransomware attack chain included bypassing authentication, letting files be uploaded without control, and running code from afar.

How did hackers get the information to overcome authentication?

After exploitation, the first malicious request was made to the public-facing file /dl.asp.

This file had an authentication logic problem. The end user could connect with a valid Kaseya agent GUID but no password. Without a password, the actor might access further authentication-required services.

The attack analysis showed malicious access with a unique agent GUID. The threat actors merely knew agent GUIDs. No logs showed failed attempts.

How did threat actors get a unique Agent GUID?

The agent GUID is a random 15-character string unrelated to the hostname. The event logs showed no Agent GUID or display name brute-forcing attempts.

There may be a few alternatives.

  1. A valid Agent GUID has been anticipated by the threat actors
  2. Threat actors created a “rogue” agent with a new agent GUID.
  3. Threat actors stole an agent GUID from a VSA agent-running host.
  4. Other vulnerabilities leaked Agent GUIDs
  5. Agent GUIDs and display names were publicly available.

If the threat actor only had Agent GUIDs, it would be tougher to match them to the organization.

What are the indications of compromise?

A collection of these technical details and Indications of Compromise (IOCs) has been made available by Kaseya. This list includes network, endpoint, and weblog indicators.

The Response – Aftermath

Didn’t Kaseya Close Everything?

Kaseya disabled the VSA SaaS platform so its customers wouldn’t be exposed to malware.  Then, they enlisted the support of the FBI, the CISA, and third-party suppliers like Huntress and Sophos to deal with the problem. The corporation has also assumed the duty of communicating this information to its clients. MSPs themselves have a responsibility to inform their clients about the attack. Part of this process is actively looking for the signs of compromise that Kaseya has shown. After spotting the threat, Kaseya shut down their VSA SaaS platform and directed clients to shut down their on-premises servers at 1400 ET. This might explain why so few VSA customers were affected by a vulnerability that was so big and widespread.

Did Kaseya pay the ransom?

Kaseya denies paying the REvil cybercrime organization as it distributes a ransomware decryptor. Kaseya announced on July 22 that it had gotten a decryption tool from a “third party” and was working with Emsisoft to restore affected organizations’ environments. The update sparked speculation about the identity of the unnamed third party, with Allan Liska of Recorded Future’s CSIRT team speculating that it was a disgruntled REvil affiliate, the Russian government, or Kaseya themselves who had paid the ransom.

On July 13, REvil’s dark web domains stopped working, which supports the idea that the universal decryptor key was given to law enforcement. The cybercrime group initially asked Kaseya for $70 million but lowered its price to $50 million. Kaseya said, “the decryption tool has proven 100% effective at decrypting files that were entirely encrypted in the attack.”

What Are the Payment Terms for Ransomware?

The ransom demanded from each victim ranges from $50,000 to $5 million.

However, there is also a $70 million master key available as part of a bundled deal paid in Bitcoin.


Has there ever been a larger ransomware attack than this one?

The criteria for the “largest” ransomware assault include the following three elements, which are also factors to consider when negotiating a ransom:

  • Ransom demand
  • Number of systems affected
  • Total damage

WannaCry was the biggest ransomware attack in terms of how many computers were affected. It affected 230,000 machines in 150 countries, but the total ransom was only $130,000. Experts in cyber security have put the cost of the WannaCry assault anywhere from the hundreds of millions  in July 2021, including a multinational software company called Kaseya. The department also said that it had seized $6.1 million in funds that may have been used to pay a ransom to Yevgeniy Polyanin, a Russian citizen who is 28 years old and is accused of using Sodinokibi/REvil ransomware attacks on multiple businesses and government agencies in Texas on or around August 16, 2019. According to the accusations, Vasinskyi and Polyanin infiltrated the internal computer networks of many victim companies and encrypted their data with Sodinokibi/REvil ransomware.

Lessons Learned

How can businesses safeguard themselves against or lessen the impact of Ransomware?

Most ransomware attacks can be avoided or minimized by

  • Implementing user education and training
  • Automating backups
  • Minimizing attack surfaces
  • Developing an incident response plan
  • Investing in an EDR tool and MDR
  • Purchasing ransomware insurance
  • Storing physical and remote backups
  • Implementing zero-trust security

It’s important to have both local and remote backups, since backups stored in the cloud can also be attacked. Attacks like Kayesa can cause less damage when there are business continuity plans and regular backup testing.

Zero-Trust should be implemented.

Zero-trust security can mitigate ransomware attacks. Unlike traditional models, zero trust views the entire world as its boundary. All communication must happen between me (the program), my computer (the user), and myself (the user). You can modify the channels through which they can communicate and the privileges they have when doing so. In a zero-trust setting, the attacker has much less space to move around, no matter how they got into your system in the first place.

How can databrackets help you?

To secure data, apps, and networks from increasingly complex assaults, many organizations use Managed Security and Compliance Services, which include SIEM, incident handling, and Threat Intelligence.

The Managed Security and Compliance services from databrackets will check your organization’s readiness for security and find any weaknesses to protect them.

Contact us to learn more about how our services and specialists can help your company defend against security threats and attacks.

Vulnerability Assessment vs. Penetration Testing

Know the difference between vulnerability assessment and penetration testing; and the importance of implementing both

Growing need for VAPT infographic-databrackets

Every business with digital assets is at risk of being hacked, no matter how big or successful it is on a global scale. Reports show one ransomware attack occurred every 11 seconds in 2021.  These attacks could hurt anyone, from a multimillion-dollar company to a small business starting to make some sales online.

A vulnerability assessment report tells you where potential risk is and the steps you can take to reduce it. A vulnerability assessment focuses on your systems, network, and the places people can connect.

A Penetration Test or Pentest is an authorized simulated attack on computer systems to assess security. Penetration tests simulate various business-threatening attacks and can examine any system component with the right scope. Penetration testers use the same Tools, Tactics, and Procedures (TTPs) as attackers to find weaknesses in a system and show how they affect business.

Comparing penetration testing and vulnerability assessments helps understand their roles in your organization’s security practices and determine your needs.


Vulnerability Assessment


What is a Vulnerability Assessment?

Vulnerability assessments identify, classify, and prioritize computer, application, and network vulnerabilities. Vulnerability assessments examine information system security flaws; it checks for vulnerabilities, assign severity levels, and suggest solutions.

Why are Vulnerability Assessments needed?

A vulnerability assessment determines an organization’s areas that need improvement. This process helps the company understand its assets, security flaws, and risk, reducing the likelihood of a cyberattack. It also guides risk assessment for weaknesses.

Depending on your organization, you may need regular vulnerability assessments to stay compliant. Compliance regulations have evolved to address security issues and vary by region/industry. Examples include GDPRs, PCI DSS, and HIPAA. These standards require regular assessments to demonstrate sensitive customer data is being protected properly. Vulnerability Assessments are comprehensive security processes that include:

  • Checking security protocols
  • Password safety of routers and Wi-Fi networks
  • Reviewing network strength against network intrusions, DDoS, and MITM attacks
  • Network port vulnerability scanning

How often do you need to perform a Vulnerability Assessment?

How often assessments must be done is set by compliance requirements. While legal regulations may require them less frequently, in the best-case scenario, assessments should be done once a month. Businesses generally get the recommendation to scan their internal and external systems at least once every three months.

Major standards’ frequency levels:

  • Payment Card Industry Data Security Standards (PCI DSS): Every three months
  • The Health Insurance Portability and Accountability Act (HIPAA): Does not require scanning but mandates that a detailed assessment process must be set up
  • Cyber Security Maturity Model Certification (CMMC): Once a week to once every three months, depending on what auditors need
  • National Institute of Standards and Technology (NIST): Every three to four months, depending on how the organization is run

What’s in the Vulnerability Assessment Report?

Vulnerability Assessment involves vulnerability scanning and technical judgment. A Vulnerability Assessment report includes an organization’s security policy and other security products utilized. The Vulnerability Assessment suggests risk-mitigation measures afterward.

A Vulnerability Assessment report analyzes an organization’s systems, identifies vulnerabilities, and rates their severity. Security professionals use automated and manual testing tools for these assessments.

How do Vulnerability Assessments benefit you?

Vulnerability Assessments help you:

  • Discover security flaws to help organizations stay one step ahead of attackers
  • Catalog all network devices, including the purpose and system information
  • Plan upgrades, installations, and inventory of all enterprise devices
  • Define network risk
  • Optimize security investments with a business risk/benefit curve

How do you perform a Vulnerability Assessment?

  1. Establishing the testing scope

Establish a Vulnerability Assessment methodology:

  • Locate your sensitive data
  • Find hidden data
  • Identify mission-critical servers
  • Select systems and networks
  • Check ports, processes, and configurations
  • Map the IT infrastructure, digital assets, and devices
  • Streamline the process
  1. Identifying vulnerabilities

Conduct a vulnerability scan of your IT infrastructure and list all security threats. This step needs an automated vulnerability scan and a manual penetration test to ensure correct results and reduce false positives.

  1. Analyze

A scanning tool generates risk and vulnerability assessments. Most tools have a CVSS (common vulnerability scoring system) score. These scores show weaknesses. Prioritize them by severity, urgency, potential damage, and risk.

  1. Addressing vulnerabilities

After identifying and analyzing vulnerabilities, choose a fix—options include mediation and remediation.

Remediation resolves vulnerabilities. It can be done by installing security tools, keeping products up to date, or using other methods. All stakeholders must participate in vulnerability remediation based on identified priorities.

Google Trends for Vulnerability Assessment vs. Penetration Testing

Trends_Vulnerability Assessment_PenTest

Google trends show that penetration testing’s relative interest nearly peaked last year. Organizations are grouping Vulnerability Assessment and Penetration Testing (VAPT) to improve security maturity.

Penetration Testing

What is Penetration Testing?

Penetration Testing (or Pentest) is the authorized simulation of various business-threatening attacks on computer systems to evaluate security. Penetration tests determine if a system can handle attacks from authenticated and unauthenticated users and system roles. Pen testers use the same tools, methods, and processes as attackers to find weaknesses in a system and show how they may affect business. Pentest can examine any system component with the right scope.

Why is Penetration Testing important?

  • Find vulnerabilities that traditional IT security tools miss
  • Identify weak spots in an application or network that hackers might use to get into the system
  • Establish customer and company trust
  • Protect company data and reputation; data leaks ruin reputations

Preparing for attacks from hackers or employees who leak confidential information is important. A non-destructive penetration test can identify security vulnerabilities before an attack and recommend improvements.

How often do you need to perform Penetration Testing?

At least once a year, penetration testing should be performed to improve IT and network security management and to reveal how malicious hackers may exploit newly discovered threats (0-days, 1-days) or emerging vulnerabilities. For example, PCI DSS compliance requires annual penetration testing or major infrastructure or application upgrades.

IT Governance recommends an annual Level 2 penetration test for high-profile or high-value organizations. Organizations with a low-risk appetite should do level 1 penetration tests often (usually every three months).

What’s in the Penetration Testing report?

Penetration Testing reports detail security test vulnerabilities. The report lists weaknesses, threats, and solutions. The Pen Test Report provides a complete overview of vulnerabilities with a POC (Proof of Concept) and priority remediation rating for each issue and its impact on your application/website.

A good penetration testing report includes an executive summary, vulnerabilities, business impact, and recommendations to fix them.

How do you perform Penetration Testing?

Planning and reconnaissance, scanning, system access, continued access, and analysis/report comprise the penetration testing process. Ethical hackers can look at a system, figure out its strengths and weaknesses, then choose the best tools and methods to break into it. Penetration testing begins long before a simulated attack.

Planning and Reconnaissance

The first penetration phase involves simulating a malicious assault to obtain as much system information as possible. Ethical hackers look at the system, its weaknesses, and how the technology stack reacts when a system is broken. The methods include Social engineering, dumpster diving, network scanning, and domain registration information retrieval. Employee names, emails, network topology, and IP addresses are searched. The audit goals determine the type of information and investigation depth.


Penetration testers scan systems and networks based on planning findings. The scan identifies system vulnerabilities that could be exploited for targeted attacks. All this information is crucial to the success of the next steps.

System Access

Pen testers use system vulnerabilities to enter infrastructure. They escalate privileges to show how deep they can get into target environments.

Continued Access

In this step, the Pentest identifies which data and services one can access to gain the most privileges, network knowledge, and system access. Pentesters should stay in a system long enough to mimic hostile hackers’ intentions.

Analysis and Reporting

The security team writes a comprehensive penetration testing report of their results at the last stage. Finally, they recommend safeguards to prevent future attacks. Attacks have skyrocketed in recent years and don’t appear to be slowing down, so the number of precautions needs to be adjusted accordingly.

How does Penetration Testing benefit you?

  • Reveals the system’s weaknesses
  • Reveals the system’s strengths
  • Prevents Hackers from Infiltrating Systems
  • Verifies if your system design meets the current regulations
  • Helps ensure an experienced hacker cannot access your data
  • Shows how a hacker might attack your system. This distinguishes them from most other testing choices
  • Helps establish customer trust, showing you’re correcting problems and working hard to serve clients well
  • Helps budget your security expenditure


Vulnerability Assessment vs. Penetration Testing

Vulnerability Assessment vs. Penetration Testing
Vulnerability Assessment
Penetration Testing
Identifies, analyzes, remedies, and discloses security problems. Security techniques help companies limit their “attack surface.”
Detect and exploit computer system flaws. This simulated attack finds vulnerabilities that attackers could exploit.
On average, it is performed every quarter
At least once a year
Finds and categorizes system vulnerabilities.
Exploits weaknesses for insights.
Lists all system vulnerabilities detected during a scan by severity and offers fixes.
Details vulnerabilities found during a security test, list flaws, threats, and possible remedies.
Performed by
Vulnerability scanning is a largely automated process
Penetration testing is a hybrid process that combines automated scanning with manual interaction.
Automated vulnerability assessment saves time and money.
A penetration test is a time-consuming and costly process.
Vulnerability assessments typically cost $2,000–$2,500, depending on the number of IPs, servers, or apps checked.
Website penetration testing costs $349–$1499 per scan.
Depending on your needs, SAAS or web application scans cost $700–$4999.
Website penetration tests cost $2500–$50,000.
Pentesting mobile and web apps cost $1500–$5000.
Cloud, network and device pen testing quotes vary in cost $400–$2000.
White-box penetration testing: $500–$2000 per scan
Black-box penetration testing: $10,000–$50,000 per scan
Grey-box penetration testing: $500–$50,000 per scan
Rarely yield zero false positives.
Exposes the network to fraudsters, hackers, or severe data loss.
Best Suited
Suitable for a multimillion-dollar SaaS firm or a small e-commerce venture that relies on data that must routinely check for security flaws.
Ideal for firms with sophisticated applications and valuable data.
The report will detail all potential vulnerabilities and may rank vulnerabilities by network threat.
The penetration tester acts like a hacker to attack vulnerabilities (in an ethical manner) without stealing, exploiting, or destroying network data.


Why might an organization need to conduct Vulnerability Assessments and Pen Testing?

Most of the time, Vulnerability Assessments and Penetration Tests are grouped. A good security program will use vulnerability and penetration testing to improve security maturity.


Vulnerability scans are often confused with penetration tests but provide different benefits. The best vulnerability management solutions regularly find, evaluate, report, and rank weaknesses in software and network systems. The findings are presented in an easily understandable format to protect your business-critical assets.

Vulnerability scans cannot replace penetration tests. Vulnerability scans identify risks at a high level while penetration testers investigate them. Penetration tests can show if vulnerabilities can be exploited to access your environment, whereas vulnerability scans cannot. Most vulnerability scans are automated, making them a better option for daily use. Alongside penetration tests, reviewing your environment’s vulnerabilities frequently can alert you to new vulnerabilities and their severity.

How can databrackets help with VAPT?

Before an attacker can discover the network, application, cloud service, and code vulnerabilities, databrackets’ A2LA-accredited process and pen testers can quickly and cost-effectively identify security vulnerabilities.

Contact us to learn more about how our services and specialists can help your company defend against security threats and attacks.