Over the Fourth of July weekend, one of the largest ransomware attacks in history was carried out. Between 1,500 and 2,500 companies were the target of said attack by the hacker group known as REvil.
In early April, Dutch Institute for Vulnerability Disclosure (DIVD) identified seven vulnerabilities in the IT management system VSA (Virtual System Administrator). By April 6th they found 2,200 vulnerable systems and disclosed their findings to Kaseya, the company behind VSA. Four of the seven vulnerabilities were resolved through patches by Kaseya on April 10th and May 8th, yet three remained. On June 26th Kaseya completed the patches for the remaining three vulnerabilities which were scheduled for release on July 7th. On July 2nd, the VSA on-premises deployment was compromised.
Between 1,500 and 2,500 companies using the VSA system were targeted by the zero-day exploit, which is a cyberattack that targets a flaw in a system unbeknownst to the user in which the user has zero days to fix. By the time the attack is found it's too late. The cybercriminals were not only able to make use of the remaining three vulnerabilities discovered by DIVD, but an additional vulnerability that went undiscovered.
REvil took responsibility for the attack on their Dark Web leak site Happy Blog where they published info on the ransom:
While demanding $70,000,000 in BTC for a universal decryptor, the cybercriminal group also declared that they would be willing to work with companies on an individual basis to pay a share of the ransom to decrypt their files, even offering their first file decryption to be free.
Further, they wrote:
"It's just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. It's not in our interests. If you will not cooperate with our service - for us, it does not matter. But you will lose your time and data, cause just we have the private key. In practice - time is much more valuable than money."
As of today, Kaseya has been working on a software update to mitigate the flaws in the VSA. There has also been an influx of fake updates to the VSA software that attempts to install backdoors instead of fixing the flaw.
How can you prepare and combat ransomware attacks?
· Create regular backups for all files
· Use two-factor authentication to strengthen identity management.
· Deploy a layered protective model against your primary threats.
· Software vulnerability management
o Software manufacturers must be vigilant against supply chain vulnerabilities.
o Organizations must be aware of the software exposure to the estate and employ zero-trust
· When updating a system be careful with any detection tools, patches, or protection tools distributed and always verify the source as well as the integrity of the file.
How can Rapid Strategy help?
Rapid Strategy aims to partner with you on your journey to provide fast and effective risk reduction strategies and controls in your environment. Rapid Strategy can quickly assess the state of your organization and provide you with strategic and targeted risk-based solutions. Contact us to accelerate your cybersecurity.