Since July 2, 2021, CISA, along with the Federal Bureau of Investigation (FBI), has been responding to a global cybersecurity incident, in which cyber threat actors executed ransomware attacks—leveraging a vulnerability in the software of Kaseya VSA on-premises products—against managed service providers (MSPs) and their downstream customers.  

 

  • Kaseya Ransomware Attack: Guidance for Affected MSPs and their Customers | CISA. (n.d.). Cybersecurity & Infrastructure Security Agency. Retrieved December 3, 2021, from https://us-cert.cisa.gov/kaseya-ransomware-attack 

 

 

What is Kaseya? 

One of the most concerning ransomware attacks took place this year in July. Kaseya VSA is a remote monitoring system that manages customer’s networks and PC maintenance.  

Kaseya’s software offers a framework for maintaining IT policies and offers remote management and services.  

Ransomware attacks are becoming increasingly frequent and concerning. The attack on Kaseya, which likely will cost millions, brings to light the concerning trend of attacks and the question: how does this happen?  

 

The REvil gang pulled off one of the biggest ransomware heists in years July 2, exploiting a vulnerability in Kaseya’s on-premise VSA remote monitoring and management tool to compromise nearly 60 MSPs and encrypt the data and demand ransom payments from up to 1,500 of their end user customers. 

 

The hacker group behind this attack requested $70 million dollars in bitcoin. In return Kaseya would receive a decryption tool to recover their stolen information.  

This is like the attack on the Colonial Pipeline earlier this year. You can read our other blog on that attack here.  

 

Did Kaseya pay the ransom? 

When companies find themselves a victim of ransomware, a hard decision must be made. Either pay the hackers and receive the decryption code or lean on your backups and resist paying the ransom. 

Earlier this year the Colonial Pipeline paid out 4.4 million dollars to their attackers and only received around 75% of their data back. Still leaving them crippled for several weeks. What you will often find when paying the attackers is that most of the companies will not receive the full amount of their data back.  

When the hackers are calling the shots, there’s no telling how much you will receive back. However, when Kaseya refused to pay the ransom, the most interesting turn of events came a few days later.  

“We can confirm that Kaseya obtained the tool from a third party and have teams actively helping customers affected by the ransomware to restore their environments, with no reports of any problem or issues associated with the decryptor,” the company wrote in an update on its website. “Kaseya is working with Emsisoft to support our customer engagement efforts, and Emsisoft has confirmed the key is effective at unlocking victims.” 

The company declined to answer media questions about the identity of the third party, whether a ransom was paid to obtain the key, and whether the decryptor works in all instances. REvil made the largest ransom demand of all-time two days after the attack, offering on July 4 to decrypt all Kaseya ransomware attack victims in exchange for $70 million. REvil’s online presence has since disappeared. 

The hackers also dropped their original ransom demand from $70 million to $50 million which some suggest is due to the fast response Kaseya had to the hack, leaving the hacker group unsure if they would receive payment at all.  

Kaseya was able to navigate this attack in a unique way and was able to restore their data back to their business.  

Who was affected by the attack?  

Close to 1500 businesses could be at risk after this attack. Though Kaseya holds only close to 600 clients, any of those clients could be holding potentially critical information for individuals or other companies, extending the risk list to a much larger group then just their own clientele.  

Very quickly after the attack, Kaseya pushed out several patches and updates for their systems.  

 

 

 

Prevention and Safety Measures. 

Preventing attacks or having the proper protocols set up before an attack is the key to navigating the hacker world as we know it. 

Daily hackers are seeking new weak points to take advantage of for a big pay day. So how to we protect ourselves from this happening at all? 

Create a Security Plan: 

Creating a Cyber Security Plan is the best way to protect your interests, but where do you start? Here are a few of the basic areas to consider –  

  • How many computers do you have?  
  • How many operating systems?  
  • How many phones are connected to your system? 
  • Do you have a physical security system? 
  • Looking into your infrastructure, do you have Wi-Fi? Is that secure? 
  • What network devices do you have?  

Bringing a company in that is gifted in this exact line of work is your best way of ensuring your doors are locked up tightly. Knowing that someone is consistently checking and testing all the back doors into your company can bring you peace of mind in the cyber world we live in. For instance, using Astoria’s Uptime Security plan would help you achieve all these critical points in one full sweep.  

 

  • Breach Plan. 

Identifying weak points in your own system is key to creating an airtight security plan.  

You also want to focus on a breach plan. What will you do in the event of a breach? You want to figure out what was breached, what was done in the system during the breach, and if you are a business owner – were any of your customers’ systems breached as well? Oftentimes hackers will breach one company with the intent to get to another. They may not have been after you, but perhaps a customer of yours. Astoria also offers assistance in helping you build a breach plan, helping you ask all the right questions, and cover all your bases. 

 

  • Passwords and 2fa. 

At Astoria, we cannot stress enough the need to keep your devices as secure as possible.  

 

Do NOT use the same password. 

While this may seem easier, it isn’t secure. Find a unique password for every device and app you own. Consider using a pass phrase instead of a password, a pass phrase could look like AstoriaprotectsyoulikeaHawk or IBelieveInBigfoot. The key is to be as creative and unique as possible.  

 

2fa 

Two factor authentication is one of the quickest ways to secure your devices. Creating a double authentication into all your computers and applications ensures that you’re keeping hackers out. You can read more about 2fa here 

 

Data Backup is Key. 

If you want to ultimately avoid the painful process of working with hackers, you need a game plan on backing up your systems. Making sure your data and security is fully backed up is how you don’t become the next victim of a cyber-attack. This is so crucial, because if you are caught by a hacker and you are backed up, you can say: “It does not matter because we are backed up,” and continue your operations as usual. 

Key steps to backing up your data. 

  • You need to do a backup every day. 
  • You need to have a dedicated person who checks the backup daily to make sure your server backs up. 
  • Keep at least 3 backups of the same data on file. 
  • An off-site backup is crucial. It should not be stored at your house or your office but somewhere nobody else knows about except for your most trusted personnel.  

 

These are the most common ways we combat hackers and their attacks. Along with a consistent and updated plan for your business.  

Astoria does not use any of Kaseya’s services, but we want to help prevent these attacks from happening to you or your business. Don’t know where to start? Contact us today through our website www.trustastoria.com We can help you prepare and protect your business and all of your valued customers!