Hundreds – if not thousands – of companies have been hit by a huge supply-chain ransomware attack that struck on Friday July 2nd, just as companies in the United States were closing down for the Independence Day holiday weekend.
What makes the attack unusual?
Normally a ransomware attack might impact one organisation. In this attack, however, it appears many many companies were hit virtually simultaneously – following the hack of servers belonging to an IT service company called Kaseya – via a poisoned automatic update.
So if my organisation isn’t a customer of Kaseya then we’re safe?
No, not necessarily.
Kaseya’s software is often used by managed service providers (MSPs) to manage clients’ systems. If your corporation relies upon services from an affected MSP then you may also find that your data has been encrypted by the ransomware attack.
Ouch. So how many organisations have been hit?
That is uncertain.
On Sunday night, Kaseya said that it believed the attack had “been localized to a very small number of on-premises customers only.”
Of course, it’s hard to know what Kaseya means by “very small.” The company’s website claims that it has 40,000 customers.
And it’s worth bearing in mind that Kaseya’s figure may not take into account companies using the technology via MSPs.
Security experts at Huntress have estimated that “well over 1,000 businesses” have had their data encrypted.
Meanwhile, the REvil ransomware gang that is responsible for the attack claims on its website that “more than a million systems were infected.” They may, of course, be counting the number of infected PCs rather than the number of impacted organisations. They may also, of course, be lying.
What we do know for certain is that some companies have been hit hard. For instance, Swedish supermarket chain Coop has shut approximately 500 of its stores, as its cash registers do not work.
Just had this confirmed by Coop Sweden – roughly 500 stores closed due to this cyber attack. It's taken point of sale tills offline as well as self-service checkouts. https://t.co/WwEEQxZyj8
— Joe Tidy (@joetidy) July 3, 2021
This sounds pretty bad. How did the hackers manage to breach Kaseya in the first place?
The attackers exploited a zero-day vulnerability in Kaseya VSA, technology which is supposed to help businesses monitor and manage their computer networks and automate software patching. The REvil gang were able to exploit the security hole to push out a bogus software update that installed the ransomware, and encrypted data.
In addition the attack shut administrators out of Kaseya VSA, and attempted to disable security products from a number of vendors.
They seem to have thought of everything.
Which is more than can be said for Kaseya, which told users to configure their security software to exclude folders used by Kaseya and treat Kaseya’s apps as “trusted.”
In retrospect that perhaps wasn’t such a wise idea…
Why has the REvil gang done this?
The usual reason: money. Victims are being told to pay a ransom for a tool to decrypt their data.
According to reports, REvil has been demanding $45,000 to decrypt each infected PC, or $5 million for an entire domain.
In addition, the REvil ransomware gang is offering to make publicly available a decryption tool that will “decrypt files of all victims” for the princely sum of $70 million worth of Bitcoin.
It seems they might be prepared to haggle on the price, however, judging by the conversations some have had with the group…
Is this the biggest ransomware attack of all time?
Where can I learn more?
- Kaseya security advisory.
- Rapid Response: Mass MSP Ransomware Incident – Huntress.
- REvil ransomware gang executes supply chain attack via malicious Kaseya update – The Record.
- Kaseya supply chain attack delivers mass ransomware event to US companies – Kevin Beaumont.
- The REvil ransomware gang – what you need to know.
Check out this episode of the “Smashing Security” podcast where I discuss REvil and the Kaseya ransomware attack in greater detail:
Found this article interesting? Follow Graham Cluley on Twitter to read more of the exclusive content we post.