Following Kaseya VSA attack, REvil ransomware gang demands $70M

It’s never a dull day in cybersecurity. How many companies have been affected is the question of the day following news yesterday that the REvil ransomware gang had exploited Kaseya VSA and taken down a Swiss supermarket.

The REvil ransomware gang has targeted companies using information technology management software from Kaseya Ltd. The attack, which came ahead of Independence Day in the U.S., targeted managed service providers using Kaseya VSA in a supply-chain attack. The first confirmed victim was Coop, a Swiss supermarket chain that was forced to close about 500 stores as their cash registers and other payment options were taken down.

The REvil ransomware gang has taken credit for the Kaseya VSA attack and is demanding a payment of $70 million in bitcoin to publish a decryption key to decrypt the files of their victims. As The Record noted Sunday, if paid it would be the highest ransomware payment ever made.

REvil claims that “more than a million systems were infected,” which would be the largest ransomware attack and potentially any form of hack in history. What’s lacking from REvil’s claim, however, is victims. There’s the Swiss supermarket and Kaseya has admitted that a small number of its managed service provider customers had been affected.

Targeting REvil’s perhaps spurious count of victims does not take away from the fact that the victim list is possibly in the thousands. CRN reported today that the victim count is “more than 1,000 small businesses across at least 17 countries by compromising their MSPs,” and that is what other reports suggest as well. To be fair, it is somewhat a guessing game, but where are the victims in an age where it is a legal requirement to disclose data theft in the European Union and parts of the U.S.?

“Organizations should understand that even though they are not the ones managing the service they are receiving, they can be the ones to suffer the consequences,” Nadav Levy, senior product manager at external attack surface management firm Cyberpion Ltd., told SiliconANGLE. “Managed services are part of an organization’s ecosystem and should be treated and monitored no less than a proprietary asset. The Kaseya attack shows that all organizations need to up their game and change their perspective from protecting a walled garden to protecting the entire ecosystem of services and software that they use.”

Rick Holland, chief information security officer and vice president, strategy at digital risk protection solutions company Digital Shadows Ltd., noted that it shouldn’t be a surprise that extortionists would target critical software that could serve as the initial access into more victims’ networks.

“Extortionists are operating a business and want to generate as much revenue from as many victims as possible,” Holland explained. “MSPs leverage Kaseya’s software, making them an attractive target because extortionists can quickly increase potential targets.”

In addition, he said, companies that leverage MSP are typically less mature small and medium-sized businesses which usually have less mature security programs. “These victims are a desirable target as they may not have the means to eradicate the adversary and restore their IT systems, forcing them to pay the ransom,” he said. “Targeting an MSP that serves vulnerable small and medium-sized businesses is a diabolical extortion tactic.”

Image: Malwarebytes/Kaseya