Kaseya, one year later: What have we learned? 

We are excited to bring Transform 2022 back in-person July 19 and virtually July 20 — 28. Join AI and data leaders for insightful talks and exciting networking opportunities. Register today!

The ransomware note informs you that your files are being held hostage and are “encrypted, and currently unavailable.” Allegedly, all file extensions have been changed to .csruj. The hijackers demand payment in return for a decryption key. One “freebie” is offered: a single-use file decryption key as a gesture of good faith to prove the decryption key works.

The operators add (spelling unchanged):

“Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities — nobody will not cooperate with us. Its not in our interests. If you will not cooperate with our service – for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practice – time is much more valuable than money.”

Overview of the Kaseya ransomware attack

On Friday, July 2, 2021, Kaseya Limited, a software developer for IT infrastructure that provides remote management monitoring (RMM), discovered they were under attack and shut down their servers. What happened was later described by Kaseya and the FBI as a well-coordinated “supply chain ransomware attack leveraging a vulnerability in Kaseya software against multiple MSPs (managed service providers) and their customers.” 

Specifically, the attackers released a fake software update via an authentication bypass vulnerability that propagated malware through Kaseya’s MSP clients to their downstream companies.

The Russia-based REvil group claimed responsibility on July 5, 2021, and demanded U.S. $70 million in exchange for decrypting all affected systems. But by the time REvil’s ransom demand made its way to its victims, many firms had already restored their systems from backups. Some victims had already negotiated their own individual ransoms, reportedly paying between $40,000 and $220,000. 

Kaseya announced on July 23, 2021, that it had acquired a universal decryption key from an unnamed “trusted third party” and was offering it to customers. 

As reported by Reuters on October 21, 2021, REvil servers were hacked and forced offline. Tom Kellermann, head of VMware cybersecurity, said, “the FBI, in conjunction with Cyber Command, the Secret Service and like-minded countries, have truly engaged in significant disruptive actions against these groups.” Kellermann, an adviser to the U.S. Secret Service on cybercrime investigations, added, “REvil was top of the list.”

This past January 2022, the Russian Federal Security Service said they had dismantled REvil and charged several of its members after being provided information by the U.S.

‘Time is more valuable than money.’

Budding cybercriminals can start their home-based business with a few clicks and a small financial investment. Ransomware-as-a-Service (RaaS) is on its way to being the world’s fastest growing multilevel marketing platform.

Major operators providing ransomware are bundling all the tools needed to carry out these attacks. All cyber tools, documentation and even how-to videos, access to a dashboard, and sometimes as much as 80% commission for successful ransoms received are provided in exchange for either a monthly flat fee, or an affiliate subscription. Affiliates receive credit for their attacks through unique IDs embedded in the malware they use.

Since many cyberattacks aren’t fully disclosed, it’s difficult to accurately assess the financial impact ransomware has on business but, according to the Internet Crime Report 2021, the IC3 received 847,376 complaints in 2021 on all internet crimes, with losses amounting to $6.9 billion.

A recent report from Coveware indicates that the average ransomware case in Q4 2021 lasted 20 days. The report also shows that the most serious cost from ransomware is associated with business interruption. Even if your organization has backups that you use to restore what’s been lost, it can be days before systems are back up and running, which can have a significant operational, financial and reputational impact.

Numerous surveys describe the breakdown in communications between cybersecurity pros and the actions taken, or not taken, by the C-suite. But there are indications that commercial software development practices are improving. A recent survey from GitLab indicates that automated software pipelines are discovering security vulnerabilities prior to code getting shipped. As devops is increasingly shifting left, there are also some mindset shifts going on. 

Mitigation and hardening guidance

Embedded identifiers enable the RaaS provider to remotely identify their affiliates and pay their commissions. But those identifiers also provide investigators a way to directly connect individual attacks with broader campaigns. 

“While the industry has continued integrating security into development, and organizations are beginning to improve security overall, our research shows that a more clear delineation of responsibilities and adoption of new tools is required to completely shift security left,” said Johnathan Hunt, vice president of security at GitLab. “In the future, we hope to see security teams find more ways to lay out clear expectations for the other members of their organization, and continue to adopt innovative technologies for scanning and code reviews to improve speed and quality of development cycles.”

The National Institute of Standards and Technology (NIST) released Defending Against Software Supply Chain Attacks in April 2021. The report highlights common attack techniques and actions network defenders should take to mitigate vulnerable software components.

Recommendations from NIST include a vulnerability management program thatch enables the organization to scan for, identify, triage and then mitigate vulnerabilities. An organization’s vulnerability management program should include processes and tools for applying software patches, as necessary.

Network defenders should utilize configuration management and process automation to track products and services the enterprise uses and the vendors that provide them. Keeping up-to-date with changes (patches, new versions, end-of-life events, etc.) for each such product or service is challenging, but fundamentally necessary.

RaaS attacks will continue and by all accounts they’ll become more streamlined. Preventing your enterprise from loss of data, resources, time and money will require trained staff, and vigilance.

VentureBeat’s mission is to be a digital town square for technical decision-makers to gain knowledge about transformative enterprise technology and transact. Learn more about membership.