Include:
Tech
Cybersecurity
Business Strategy
Channel Insights
Stay Connected
Acer America
Acer America Corp. is a computer manufacturer of business and consumer PCs, notebooks, ultrabooks, projectors, servers, and storage products.

Location

333 West San Carlos Street
San Jose, California 95110
United States

WWW: acer.com

ChannelPro Network Awards

hello 2
hello 3

News & Articles

August 24, 2021 | Troy Gill

A Deeper Look at the Kaseya Ransomware Attack: Lessons Learned

Prioritize backups, invest in proven security technology, and take inventory of partners and channels to decrease the likelihood of a breach or minimize damage.

The REvil group has gone dark. Many believe it is either the work of a government effort or a preemptive action spurred by fear of law enforcement. But given the timing and completeness of the takedown, this is probably a conscious decision on behalf of the group, likely letting the heat die down before an almost certain return under a new name. They’ve done this before, previously operating under other brands (see: GandCrab). They may even splinter into numerous and smaller operations upon their return to help obfuscate the focus on them as a single group.

Before going dark, the Russian-linked group orchestrated a vicious supply chain attack on Kaseya, an enterprise technology firm for managed service providers with close to one million international customers. The July 2 attack encrypted the files of hundreds of businesses through the company’s Virtual System Administrator platform (VSA) on-premises remote monitoring and management (RMM) product. Utilizing a zero-day vulnerability, REvil was able to launch more than 5,000 attacks on Kaseya’s MSP customer base as well as the MSPs’ own customers.

Kaseya joined a growing group of disheartened supply chain threat victims: In April, REvil breached Quanta Computer, the world’s largest laptop manufacturer and supplier to tech companies like HP, Facebook, and Google; SolarWinds was in the center of one of the largest and most sophisticated cyberattacks orchestrated against U.S. government systems in recent years, involving at least nine federal agencies; and one of the world’s largest meat processors, JBS Meats, was also hit with ransomware from REvil in May 2021.

While Kaseya has since obtained a master decryption key through undisclosed sources, the supply chain attack provides many teachable moments for the cyber community.

1. Backup, Backup, Backup

We can infer that the MSPs who were diligent about backing up their files were likely in a much better spot than the affected customers who did not. And their pocketbooks probably looked a lot healthier too; some companies were apparently asked for as much as $5 million to decrypt all the PCs in their network. The victims that failed to regularly and securely back up their files had a much weaker argument against paying up for a REvil key. While the MSPs affected in this breach likely were doing everything they could to prevent such an attack, nothing is ever guaranteed, especially as cybercriminals reach new levels of sophistication. That is why it is always in a company’s best interest to stay ahead of backups and perhaps enlist the expertise of a backup services provider. Without a secure backup, organizations are left with compromised systems and no way to continue operations, which hurts their bottom line and their future reputation. Backups should be reliable, secure, and compliant. This includes, but is not limited to, a business’s choice of data center, data encryption, at-rest and in-transit rules, and the ability to purge backups.

2. Not Out of the Woods Yet

While many organizations scrambled to make sure they were not one of the companies affected by the Kaseya ransomware attack, malware distributors looked to take advantage and create an opportunity for themselves. We had tracked a malicious email campaign attempting to pose as a security patch related to Kaseya. The emails instructed recipients to open an attached executable file to fix the VSA vulnerability. These freeloader-type attacks prey on the uncertainty and fear surrounding high-profile incidents. In this specific malware campaign, cybercriminals weaponized Cobalt Strike, a commercially available software often used by pen testers and red teams to help better defend networks. It’s important to remember that security advisories and patches are a common theme used in malware and phishing email attacks. Falling victim to this email attack would likely lead to ransomware and/or data theft, the very thing being avoided. 

3. What’s in Your (MSP’s) Wallet?

The technology an MSP utilizes to manage its operations is just as important as the software itself. MSPs must employ solutions that are secure, resilient, and compliant; they must also have good security protocols. In the case of Kaseya, they were able to shut down their VSA within hours to arrest the vulnerability, involve law enforcement, and begin patching. Any entity that has any type of access to an organization should be seriously vetted. From channel partners to MSPs, cybercriminals can and will find the weakest link and navigate backwards to their desired target. Once a cybercriminal has access to an MSP, it has access to its customers. So, rather than breaching a single bank, insurer, or airline, they can gain access to multiple organizations all at once. It’s the difference between having a highly skilled safe-cracker and the master key to the bank’s vault. It’s important for MSPs to seek out an experienced security solutions provider to proactively monitor for threats and vulnerabilities and then be able to address and quickly shut systems down when necessary.

While it is unfortunate that these ransomware attacks continue to infiltrate supply chains, we must be able to critically analyze what went “”wrong”” so that we can learn and improve for the future. It’s always a good idea to prioritize backups, invest in proven security technology, and take inventory of partners and channels to decrease the likelihood of a breach or minimize the damage to our own business and the supply chain. 

TROY GILL, GPEN, is senior manager of threat intelligence at Zix/AppRiver.

Related News & Articles

Growing the MSP

Editor’s Choice


Explore ChannelPro

Events

Reach Our Audience