Up to 1,500 Organizations Hit in Ransomware Attack
3rd Party Risk Management
,
Endpoint Security
,
Fraud Management & Cybercrime
Software Vendor Quiet on Whether It Might Pay for REvil’s Full Decryption Tool
Kaseya said late Monday that it believes between 800-1,500 organizations – mostly small businesses – were compromised via the sweeping ransomware attack that exploited its VSA remote IT management software.
See Also: Live Panel | Zero Trusts Given- Harnessing the Value of the Strategy
Up to 60 of its own customers were compromised, Kaseya said in an update posted late Monday. Those customers supply IT management services to others, which comprise the up to 1,500 organizations that it suspects will have been affected by the attack.
The numbers help pull into focus the scope of the attack, which used ransomware code developed by a suspected Russian or Eastern European group called REvil, aka Sodinokibi. Kaseya says in a separate news release that the types of businesses affected include dentists’ offices, small accounting offices and restaurants.
The REvil group – or attackers affiliated with it – claims to have compromised 1 million organizations, and on Monday began offering a single, universal decryption tool that will decrypt all victims’ files for $70 million in bitcoins. But one cybersecurity expert, Jack Cable, tweeted later that day that the asking price may have already dropped to $50 million, suggesting that victims haven’t been collectively rushing to pay (see Kaseya Attack: REvil Offers $70 Million ‘Super Decryptor’).
REvil is now asking for $50 million (lower than previously reported $70 million). Quickly lowering prices makes me wonder if they’re getting desperate. pic.twitter.com/crbubdw48g
— Jack Cable (@jackhcable) July 5, 2021
Whether Kaseya or others should pay for a universal decryptor is a tough call, says Jake Williams, who’s CTO of Rendition Infosec, an Atlanta-based information security consultancy, and also CTO of Dallas-based incident response firm BreachQuest.
“On the one hand, part of me would love to see Kaseya step up and pay on behalf of its customers,” Williams says. “On the other hand, if Kaseya does pay, it will definitely set a precedent that will likely spur more attacks like this, hoping the other vendors follow suit.”
Kaseya CEO Fred Voccola on Monday told Reuters that he has “no comment on anything to do with negotiating with terrorists in any way.” A Kaseya spokeswoman tells Information Security Media Group that Kaseya has cyber insurance. Some cyber insurance policies will cover paying ransoms, but it’s unclear to what extent such a policy might cover paying ransoms for Kaseya’s MSP customers, or those MSP customers’ customers.
On-Premises Patch Coming
The ransomware attack involving subverted Kaseya software is just the latest supply-chain hit to have caught businesses and governments off guard (see Biden Orders Investigation of Kaseya Ransomware Attack).
Kaseya says it detected the attack involving its software on Friday, after attackers issued a bogus software update for the company’s on-premises version of VSA, which is used by Kaseya’s customers to manage the IT systems of their clients. The attackers used VSA’s distribution mechanism to push ransomware onto the systems of hundreds of downstream organizations.
Kaseya might have avoided the attack entirely, if it had rolled out in-progress patches more quickly. The company had already been warned about software vulnerabilities in VSA by Dutch researchers and was working on fixes when the ransomware attack occurred. It’s unclear if attackers were aware of the vulnerabilities precisely because they’d already been camped out in Kaseya’s network for weeks or months, and thus timed their attack to exploit the flaws before they were fixed (see Kaseya Was Working on Patches Before Ransomware Attack).
A patch for the vulnerable, on-premises version of VSA is now undergoing testing and validation, and is due to be released by 5 p.m. EDT on Wednesday, Kaseya says. The company plans to first restore its software-as-a-service servers – scheduled to happen before 5 p.m. EDT on Tuesday – which it took down when the attack came to light, just in case they were at risk; the company says no SaaS customers were hit by ransomware.
On Monday, Kaseya also issued a new security advisory confirming the specifics of the attack, as multiple security firms and researchers had already deduced. Namely, attackers targeted zero-day vulnerabilities in VSA software to bypass authentication and run arbitrary code. “This allowed the attackers to leverage the standard VSA product functionality to deploy ransomware to endpoints,” the company says. “There is no evidence that Kaseya’s VSA codebase has been maliciously modified.”
Recovery: ‘Slow and Manual’
Although hundreds or thousands of organizations have been impacted, many have yet to be publicly revealed. But one prominent company, the Coop grocery chain in Sweden, was forced to shut down hundreds of stores after its point-of-sale devices became infected.
Swedish managed service provider Visma Esscom manages Coop’s cash registers, and on Saturday issued a statement confirmed that as a result of the ransomware attack, none of them were functioning. Visma Esscom says it immediately dispatched IT personnel to manually update all affected devices across the country. While that process could take days to complete, by Saturday evening, systems at some Coop stores in Stockholm had been restored and they were again trading.
Separately, Radio New Zealand reported on Monday that a non-profit kindergarten association was affected in that country, resulting in systems used by 100 kindergartens going offline. Also, 11 schools were impacted, although two of the schools had not used Kaseya in some time, the broadcaster reported.
The up to 1,500 organizations affected by the ransomware attack will face numerous challenges, including many likely having no idea how they’ve been affected, says Fabian Wosar, CTO of Emsisoft, a security company that researches ransomware.
Kaseya is “just what their chosen MSP picked to manage their clients’ infrastructure,” Wosar says. “Not paying the ransom would almost certainly mean a sizable number of affected businesses would have to go out of business – through arguably no fault of their own.”
But some organizations may be able to recover their data. Sophos, which published a comprehensive blog post on Sunday, found that the attackers did not delete volume shadow copies, a backup feature in Windows.
Volume shadow copies can be used to restore about 95% of files, with the exception of things like network shares and USB keys, says Dmitri Alperovitch, chairman of the Silverado Policy Accelerator and the former CTO of CrowdStrike. But some organizations may have turned it off, meaning they would have no volume shadow copies of their data, he says.
Paying for a decryption tool from the REvil actors won’t speed up any affected organization’s response, Alperovitch says. For example, Colonial Pipeline Co., which supplies fuel to the U.S. East coast, paid $4.4 million in bitcoin to the DarkSide group for a decryption tool, but found that using its own backups was faster and more reliable (see Colonial Pipeline CEO Confirms $4.4 Million Ransom Payment).
In either case, Alperovitch says “restoration will be slow and manual.”
Executive Editor Mathew Schwartz contributed to this report.