Kaseya is a mega service firm that provides IT management software to companies worldwide. The company is the latest victim of REvil ransomware. And it may turn out to be bigger than the recent SolarWinds attack.
REvil ransomware was used to hack into Kaseya’s computers disguised as a system update. The attack on July 2nd was timed just prior to the 4th of July holiday weekend.
This attack differs from the 2020 SolarWinds attack. SolarWinds exposed sensitive data from United States government offices, as well as private companies. It has been called the “largest security breach” ever.
Kaseya is a software company used by more than 36,000 companies on a global-basis. And the ransomware attack puts many of its key customer’s data at-risk.
Kaseya Updates Clients
Kaseya is posting a detailed description of the ransomware attack. And client warnings including updates on its website.
Kasaya is advising all of its customers to turn their systems off and remain offline.
- “Hosted VSA Servers will become operational once Kaseya has determined that we can safely restore operations. We are in the process of formulating a staged return to service of our SaaS server farms with restricted functionality and a higher security posture (estimated in the next 24-48 hours but that is subject to change) on a geographic basis. More details on both the limitations, security posture changes, and time frame will be in the next communique later today.
- All on-premises VSA Servers should continue to remain offline until further instructions from Kaseya about when it is safe to restore operations. A patch will be required to be installed prior to restarting the VSA and a set of recommendations on how to increase security posture.
- We have been advised by our outside experts, that customers who experienced ransomware and receive communication from the attackers should not click on any links as they may be weaponized.”
Experts are concerned
Nathan DeSutter, CEO of Compnology, claims that “We won’t know the full effect of this for at least days, the FBI is involved, the CISA, that’s the federal cybersecurity agency, is involved, and this is going to get much worse before it gets better.”
“Kasaya has about 36,000 customers, those customers are IT departments, commercial, government, they’re also IT providers the majority of them. If they manage 20, 30, 40, 50 customers each, each one of those companies has 50 to 100 employees, you’re talking about 50 million people that could potentially be impacted here,” DeSutter adds.
Once ransomware viruses are installed on a computer they lock down data and hold it for ransom. Then the ransom note is typically found.
“They’re asking between $50,000 and $4 million, some reports say $8 million,” said DeSutter.
This is a strategically timed supply-chain attack on IT management software provider Kaseya. And it is being under-reported in the media due to the holiday.
Kaseya attack setting precedents
Demi Ben-Ari, Co-Founder & CTO of Tel Aviv-based security management company Panorays claims that this attack may be setting dangerous precedents.
“That means the viral distribution of this thing is going to be massive. What has been reported so far is that more than a thousand companies have been affected, including some chains, like Swedish grocery retailer Coop, which was forced to close more than 800 stores. Their systems are literally all down,” Ben-Ari says.
In this attack, companies are being told to pay a large ransom, as much as $50,000 per employee per company.
“If you just multiply the numbers, the magnitude is massive,” Ben-Ari agrees that the ransomware attack may be the largest in history.
“REvil is only interested in getting money and like other Russian ransomware groups, is believed to be sponsored by the Russian government, although that hasn’t been proven,” Ben-Ari said.
“The only solution is preparing ahead because the question isn’t whether something like this will happen, but when.”