The future ramifications of the REvil Kaseya hack
In early July 2021, a vulnerability in servers powered by Kaseya’s VSA software was exploited by the ransomware group REvil, affecting around 60 managed service providers (MSPs) and several thousand of their downstream clients.
The vulnerability was already known to Kaseya, who had been made aware of it by the Dutch Institute for Vulnerability Disclosure (DIVD) and had already started to work on a patch.
Before a patch could be completed and distributed, a successful ransomware attack was launched by REvil, encrypting thousands of nodes across hundreds of end-user businesses.
What just happened?
Immediately after the attack, REvil released a statement demanding a ransom of $70 million (to be paid in the cryptocurrency Bitcoin) to provide details of how to unlock the encrypted servers:
“On Friday (02.07.2021) we launched an attack on MSP providers. More than a million systems were infected. If anyone wants to negotiate about universal decryptor – our price is 70 000 000$ in BTC and we will publish publicly decryptor that decrypts files of all victims, so everyone will be able to recover from attack in less than an hour. If you are interested in such deal – contact us using victims ‘readme’ file instructions.”
In an update following the attack, DIVD said: “Kaseya has been very cooperative. Once Kaseya was aware of our reported vulnerabilities, we have been in constant contact and cooperation with them … Unfortunately, we were beaten by REvil in the final sprint.”
What happens next?
Kaseya’s initial action was to request all customers to turn off VSA-powered servers until further notice, to prevent possible infections. Kaseya also shut down their own VSA Software-as-a-Service infrastructure.
Within a day, Kaseya had provided customers with a Compromise Detection Tool and had begun a “restoration process” ready to deploy a fix for their VSA customers.
On July 21st, Kaseya obtained a universal decryptor key from an unnamed third party and started contacting customers with details of how to fully decrypt their affected files.
A Kaseya update on July 26th added: “Kaseya decided after consultation with experts to not negotiate with the criminals who perpetrated this attack and we have not wavered from that commitment. As such, we are confirming in no uncertain terms that Kaseya did not pay a ransom – either directly or indirectly through a third party – to obtain the decryptor.”
What it all means
The incident highlights how malicious attacks can happen to established IT software providers and MSPs, even when a vulnerability has been detected, reported and work on a patch is underway.
IT security, as observed by DIVD, is a sprint. But careful preparation can put hurdles in the way of the would-be attackers.
Server and network firewalls, email security and real-time updated antivirus software combine to make it as difficult as possible for an attack to gain a hold of your systems.
Combine this with remote backup to a secondary location in the cloud, and you gain the added protection of an archive from which you can restore business-critical data, in the event of a successful ransomware attack in the future.