2024 Gartner® Market Guide for Managed Detection and Response
2024 Gartner® Market Guide for Managed Detection and Response Get the Report
What You Should Know — REvil Supply Chain Ransomware Attack Affects Thousands of Businesses Worldwide
Pondurance
July 19, 2021
Last week the REvil ransomware gang, believed to operate out of Eastern Europe and Russia, launched a ransomware attack against managed service provider (MSP) software company Kaseya Ltd. This ransomware attack affected a myriad of businesses and public agencies worldwide by exploiting zero-day vulnerabilities in Kaseya’s Virtual System/Server Administrator (VSA) software. According to the Federal authorities, the attack has affected thousands of companies — making this the single largest ransomware attack to date.
On July 2, 2021, Kaseya released a statement on their website confirming the ransomware incident and advised they have shut down their SaaS servers as a cautionary measure to prevent further spread. Kaseya mentioned they immediately notified customers via email. Even though Kaseya mentioned that the attack only affected on-premises customers, many of their customers provide IT services to small businesses such as restaurants, financial services, including travel and leisure, which can affect their customers’ clients as well. For example, a Swedish grocery chain was forced to close at least 800 stores because their cash register software supplier was a victim of the attack.
The attack over the holiday weekend highlights the importance of having 24/7 monitoring across your entire digital landscape. The level of sophistication and timing was planned to ensure the attack was undetected until staff returned from their holiday weekend. Supply chain attacks such as these affect more than just the direct customers of the provider, they are intended to rapidly spread to their consumers as a soft attack.
The U.S. Government launched a new website to help organizations provide guidance and resources to defend against the rise in ransomware. StopRansomware.gov helps organizations to understand the threat of ransomware, mitigate risk, and know what steps to take in the event of an attack.
For the Kaseya ransomware incident, customers using the Virtual System/Server Administrator (VSA) software should download the Kaseya VSA Detection Tool to analyze their systems to determine if there are any indicators of compromise (IoCs) present. The Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) recommend that organizations do the following:
Shut down Kaseya VSA servers immediately
Enable multifactor authentication (MFA)
Limit communication with remote monitoring and management (RMM) to known IP address pairs
Place administrative interfaces of RMM behind a virtual private network (VPN) or a firewall on a dedicated network to eliminate man-in-the-middle access
If you believe you have been impacted by the VSA software or another cyberattack, Pondurance clients can rest assured that our SOC analysts are monitoring their network, endpoints, logs, and cloud infrastructure for IoCs. Our closed-loop incident response ensures that our SOC works directly with your team to deliver digital forensics and incident response services with an experienced security analyst that investigates and contains the incident. As IoCs associated with cyberattacks are detected, our security analysts will contain the threat while alerting you of any suspicious activity.
Pondurance customers can contact their account manager for any questions or recommendations regarding the REvil ransomware attack on Kaseya VSA software.