The IT management software vendor, Kaseya, recently suffered a large-scale REvil ransomware attack – REvil is the same group supposedly responsible for attacking meat processing giant JBS at the end of May. The attackers were reported to have compromised Kaseya’s remote monitoring system, VSA, resulting in its customers temporarily shutting down their on-premises servers. According to Kaseya, who reported the attack on July 2nd, over the American Independence Day weekend, the VSA platform is used by more than 36,000 MSP customers worldwide.
The FBI described the attack as a “supply chain ransomware attack leveraging a vulnerability in Kaseya VSA software against multiple MSPs and their customers.” Kaseya CEO, Fred Voccola, downplayed the attack and said: “Due to our teams’ fast response, we believe that this has been localized to a very small number of on-premises customers only.” Days later, Kaseya said it is now working with the FBI and the U.S. Cybersecurity and Infrastructure Security Agency on an incident-handling process for worldwide customers impacted by the cyber attack.
Kaseya states that less than 0.1% of the company’s customers were embroiled in the breach. Current estimates say that 800 to 1,500 SME-sized companies may have experienced a ransomware compromise through their MSP.
The attack is reported to have been executed via a malicious software update, highlighting the importance of patching. Once REvil got control of the VSA servers at the MSP level, they then began trying to extort victimised companies, which were mainly SMEs, for payments of $45,000.
What do we know about REvil?
REvil is a ransomware-as-a-service (RaaS) offering, which essentially means they are a group who develop and maintain malicious ransomware code and make it available online. They make their money from affiliates and any profits that are paid as a result of their ransoms. For example, JBS recently paid $11 million in bitcoins.
REvil are regarded as one of the most dangerous and active hacking groups around, alongside the likes of DoppelPaymer, Conti and Ryuk.
More Ransomware to Come?
JBS and Colonial Pipeline are just two of the recent high-profile ransomware attacks this year. The result has been the victims paying millions of pounds to get their operations back and minimise downtime.
Like Kaseya and many of its customers, businesses are continually finding themselves in crisis mode, faced with tightening their cyber defences and plugging existing holes. Neither come cheaply, but the cost of a ransomware attack is a heavier price.