A new ransomware outbreak has surfaced, and given its scope, it has the potential to be one of the largest cyber attacks ever – on par with SolarWinds, WannaCry, and NotPetya. The attack’s seriousness stems from the fact that it was carried out in a very lethal manner, combining a supply chain target with some of the most powerful ransomware tools. In terms of how the attackers gained access to systems, the tale is still emerging, but given the scope, the number of organisations affected could number in the thousands. The application took advantage of Kaseya VSA, a managed service provider (MSP) platform that allows providers to execute patch management and client monitoring for their customers, according to BleepingComputer.
SCALE OF ATTACK
Although the total scope of the cyber attack is unknown, we do have a good idea of how many businesses have been affected. Beginning yesterday afternoon, July 2, the notorious REvil ransomware group Sodinokibi targeted a suspected eight large MSPs. As a point of reference, cyber security firm Huntress Labs has indicated in reports that the intrusion has damaged at least three of its partners, totaling at least 200 small and medium businesses. This is only the first step.
Given the widespread use of the Kaseya VSA around the world, the number of businesses affected is likely to be in the thousands. The size is akin to the NotPetya hacks that wreaked havoc on global industry networks.
HOW THE ATTACK HAPPENED
“We are investigating a potential attack against the VSA that appears to have been limited to a small number of our on-premises clients only,” Dana Liedholm, senior corporate communications vice president at Kaseya, said in a statement. Out of an excess of caution, we have proactively shut down our SaaS servers.” Kaseya has previously issued a message to its clients following the intrusion.
“We are investigating the underlying cause of the situation with extreme caution,” the statement said, “but we strongly advise that you IMMEDIATELY shut down your VSA server until further notice from us.” Because one of the first things the attacker does is disable administrator access to the VSA, it’s vital that you do this right away.” In an interview with Wired, Kaseya CEO Fred Voccola indicated that he still “expects services to be restored within 24 hours.”
Kaseya VSA’s servers are currently unavailable while thousands of companies struggle to deal with the situation. The company also stated that it is currently collaborating with security professionals to address the matter. Sodinokibi, which leveraged auto update mechanisms to distribute the ransomware through small and medium businesses, was most likely the result of an escalated privilege exploit.
THE RANSOM DEMANDS
According to reports, the REvil gang is demanding $50,000 from small businesses whose devices have been targeted. Sodinokibi appears to be seeking $5 million from the eight MSPs. Of course, extrapolating the total ransom pool at this time is impossible. Kaseya has nearly 40,000 clients, and the total ransom pool that this REvil attack is targeting is far into the millions of dollars. Of course, the situation is changing, thus the figures will most likely change over time.
More information should become available as time goes on.