Kaseya Hack: Hundreds of Companies Hit with Ransomware

Global Ransomware Attack Impacts Hundreds of Businesses

A widespread ransomware attack unfolded on Friday, impacting numerous organizations globally. The incident caused significant disruption, leading to the temporary closure of hundreds of businesses, including a grocery chain, a national railway, schools, and a public broadcasting service.

Investigations revealed a common link among the victims: the utilization of network management and remote control software created by Kaseya, a U.S.-based technology company. Kaseya’s software facilitates remote IT network and device management.

Supply Chain Vulnerability Exploited

The attack leveraged a previously unknown security flaw within Kaseya’s software update process. Hackers, believed to be affiliated with the Russia-linked REvil ransomware-as-a-service group, exploited this vulnerability to distribute ransomware to Kaseya’s clientele.

This ransomware then propagated further, affecting the customers of those managed service providers. Critically, many impacted businesses were unaware their networks were managed using Kaseya’s software.

Kaseya promptly advised customers to IMMEDIATELY shut down their on-premise servers. As a precautionary measure, even its cloud service, though initially unaffected, was temporarily taken offline.

Scale of the Attack

John Hammond, a senior security researcher at Huntress Labs, reported that approximately 30 managed service providers were initially compromised. This allowed the ransomware to spread to “well over” 1,000 businesses.

ESET, a cybersecurity firm, identified victims in 17 countries, including the U.K., South Africa, Canada, New Zealand, Kenya, and Indonesia.

Kaseya later stated on Monday evening that around 60 of its direct customers were affected, estimating the total number of impacted companies to be fewer than 1,500.

Details of the Vulnerability

Dutch researchers uncovered multiple zero-day vulnerabilities within Kaseya’s software during an investigation into the security of web-based administrator tools. These vulnerabilities, reported to Kaseya, were in the process of being addressed when the attack occurred.

A zero-day vulnerability is termed as such because it provides organizations with no time to implement a fix before exploitation.

Kaseya's Response and Investigation

Fred Voccola, Kaseya’s chief executive, confirmed that the company’s own systems remained secure. This supports the theory that individual servers belonging to Kaseya’s customers were compromised through a shared vulnerability.

The company instructed users to keep affected servers offline until a security patch is available, anticipating its release by late Monday.

Strategic Timing of the Attack

The attack commenced late Friday afternoon, coinciding with the start of the July 4th holiday weekend in the United States. Adam Meyers, CrowdStrike’s senior vice president of intelligence, highlighted the deliberate timing.

“This attack exemplifies a ‘Big Game Hunting’ strategy, targeting a supply chain to maximize impact and financial gain during a period of reduced business security,” Meyers explained.

Ransom Demand

REvil claimed responsibility for the attack via a post on a dark web forum. The group demanded a ransom of $70 million in bitcoin in exchange for a decryption tool.

The group asserts that “more than a million systems were infected” as a result of the attack.