Kaseya, a year later: What have you learned? 

The ransomwareNotification informs you that your files are being held hostage and are “encrypted, and currently unavailable.” Allegedly, all file extensions have been changed to .csruj. In exchange for a key, the hijackers ask for payment. One “freebie” is offered: a single-use file decryption key as a gesture of good faith to prove the decryption key works.

Operators add (spelling remains the same):

“Its just a business. We don’t care much about your deals or you. If we do not do our work and liabilities — nobody will not cooperate with us. It’s not in our interest. If you will not cooperate with our service – for us, its does not matter. We have the private key, so you won’t lose any of your data or time. In practice – time is much more valuable than money.”

Overview of the Kaseya ransomware attacks

Friday, July 2, 2020 Kaseya LimitedA remote management monitoring (RMM) software developer, discovered that they were under attack. He shut down their servers. What happened was later described by Kaseya and the FBI as a well-coordinated “supply chain ransomware attack leveraging a vulnerability in Kaseya software against multiple MSPs (managed service providers) and their customers.” 

Specifically, the attackers released a fake software update via an authentication bypass vulnerability that propagated malware through Kaseya’s MSP clients to their downstream companies.

On July 5, 2021, the Russia-based REvil group claimed ownership and demanded US $70 million to decrypt all affected systems. But by the time REvil’s ransom demand made its way to its victims, many firms had already restored their systems from backups. Some victims had already paid between $40,000- $220,000 for their individual ransoms. 

Kaseya announced on July 23, 2021, that it had acquired a universal decryption key from an unnamed “trusted third party” and was offering it to customers. 

As reported by ReutersREvil servers were forced offline on October 21st, 2021 after they were hacked. Tom Kellermann, head of VMware cybersecurity, said, “the FBI, in conjunction with Cyber Command, the Secret Service and like-minded countries, have truly engaged in significant disruptive actions against these groups.” Kellermann, an adviser to the U.S. Secret Service on cybercrime investigations, added, “REvil was top of the list.”

The Russian Federal Security Service stated that they had received a notification in January 2022. REvil is dismantledAfter receiving information from the U.S., a number of its members were charged.

‘Time is more valuable than money.’

Cybercriminals in training can easily start a home-based company with just a few clicks. Ransomware-as-a-Service (RaaS) is on its way to being the world’s fastest growing multilevel marketing platform.

Major OperatorsAll the tools required to execute ransomware attacks are provided by those who offer ransomware. In exchange for a monthly flat fee or an affiliate subscription, all cyber tools and documentation are included. Sometimes, as high as 80% commission is earned for ransomware successful ransoms. Through unique IDs embedded within the malware, affiliates are credited for their attacks.

Since many cyberattacks aren’t fully disclosed, it’s difficult to accurately assess the financial impact ransomware has on business but, according to the Internet Crime Report 2021The IC3 received 847.376 complaints by 2021 regarding all internet crimes. Losses totalled $6.9 billion.

Coveware recently reported that ransomware cases in Q4 2021 averaged 20 days. Ransomware can also cause business disruptions, which is the biggest cost. Even if your organization has backups that you use to restore what’s been lost, it can be days before systems are back up and running, which can have a significant operational, financial and reputational impact.

Many surveys have documented the disconnection between cybersecurity professionals and the actions or inactions of the C-suite. However, there are some signs that commercial software design practices are improving. A survey conducted by the University of California, Berkeley. GitLabAutomated software pipelines discover security flaws before code is shipped. Devops is shifting to the left and there are some mindset shifts. 

Guidance for mitigation and hardening

RaaS providers can remotely identify affiliates and pay them commissions using embedded identifiers. These identifiers allow investigators to link individual attacks with larger campaigns. 

“While the industry has continued integrating security into development, and organizations are beginning to improve security overall, our research shows that a more clear delineation of responsibilities and adoption of new tools is required to completely shift security left,” said Johnathan Hunt, vice president of security at GitLab. “In the future, we hope to see security teams find more ways to lay out clear expectations for the other members of their organization, and continue to adopt innovative technologies for scanning and code reviews to improve speed and quality of development cycles.”

The National Institute of Standards and Technology, (NIST), has been released Software Supply Chain Attacks Can Be Fended OffIn April 2021. The report describes common attacks techniques and steps network defenders should use to minimize vulnerable software components.

NIST recommends that organizations implement a vulnerability management system. This program allows them to scan for, identify and triage vulnerabilities, then take steps to mitigate them. An organization’s vulnerability management program should include processes and tools for applying software patches, as necessary.

Configuration management and process automation are two ways network defenders can track the products and services used by their enterprise and the vendors who provide them. It is important to keep up with any changes (patches and new versions, end of life events, etc.). It is difficult, but essential, to keep up-to-date with changes (patches, new versions and end of life events, etc.) for each product or service.

RaaS attacks will continue and by all accounts they’ll become more streamlined. You will need to have trained employees and be vigilant in order to avoid your business losing its data, time, and money.