REvil Demands US$70mn in Kaseya Cyberattack

Just as Americans left for a long Fourth of July weekend, the Russian-based REvil group mounted the world’s largest supply chain cyberattack on Kaseya, a major IT management software company. Hackers demanded US$70mn in Bitcoin in exchange for a universal decryption tool that would disable the ransomware. While the company originally claimed that fewer than 40 of its clients were affected, it turns out that the attack disrupted more than a thousand companies. 

Cyberattacks have made the news many times this year, but this is perhaps the most influential one yet. More than 36,000 customers use Kaseya’s VSA remote maintenance tool, and enough companies were affected by the cyberattack that even paying the ransom will be difficult and plagued with delays. ‘[We may see] a possibly unprecedented number of simultaneous negotiations’, said Brett Callow, a threat analyst at Emsisoft. ‘It’s simply another obstacle that victims may need to deal with’. 

How Did the Attack Happen? 

ESET security researchers have all but confirmed that the malware originated from REvil, the group that posted the bitcoin ransom. They’re the ones that initiated the JBS hack earlier this spring to extort US$11mn from the meatpacking plant, and they’re based in Russia. Organisations such as REvil offer Ransomware-as-a-Service (RaaS), providing malware kits for others to launch cyberattacks. Of course, if it works, they keep a cut of the ransom. 

Similar to the SolarWinds attack, Kaseya’s software was infected via two-step malware delivery. Once REvil planted the ransomware and encrypted company data, they then offered up the decryption tool. This is a common method: shut down operations, wait until companies can’t stand it anymore. As Jason Crabtree, CEO of Qomplx, explained: ‘Lots of criminal organisations are finding out that you get paid millions of dollars if you disrupt our economy’. 

Whom Does It Affect? 

According to Kaseya CEO Fred Voccola, nearly 50 to 60 customers, including around 40 managed service providers or MSPs. Small and medium-sized businesses often hire MSPs to outsource their IT infrastructure, which means that they’ll also be at risk. Unfortunately, SMEs lack the emergency funds of large enterprises, which means that many will be unable to pay the base ransom of US$45,000 for individual companies—or US$5mn for MSPs. 

These cyberattacks continue to affect supply chains from all industries. Colonial Pipeline paid US$4.4mn to recover its gasoline and jet fuel operations in May; JBS paid US$11mn to restart its beef, chicken, and pork processing. From consumer electronics (Acer) to IT infrastructure (Kaseya), in fact, these attacks just keep coming. 

How Do We React? 

Biden has warned Russia that the United States will take action if the nation keeps promoting cyberattacks to pursue modern warfare. In the meantime, the FBI and the Cybersecurity and Infrastructure Agency are working with Kaseya to restore operations by Monday night. The company advised affected firms to immediately shut down their VSA servers and wait for further instructions. 

According to Homeland Security, however, compromised companies should act quickly: 

• Download the Kaseya VSA Detection Tool. The tool analyses a system (either VSA server or managed endpoint) and determines whether any indicators of compromise (IoC) are present.
• Place administrative interfaces of RMM behind a virtual private network (VPN) or a firewall on a dedicated administrative network.
• Enable and enforce multi-factor authentication (MFA) on every single account that is under the control of the organisation

Overall, the Kaseya cyberattack is yet another reminder that it’s dangerous for corporations to rely on a single platform. The upshot: as supply chain managers start to realise that dual- and multi-sourcing techniques make global networks more resilient, we should recognise that proper security in an age of cyber warfare requires double, if not triple, backup.