"Temporarily Closed. We have an IT-disturbance and our systems are not functioning." Swedish grocery chain Coop was hit hard by the Kaseya attack. Photo / AP
"Temporarily Closed. We have an IT-disturbance and our systems are not functioning." Swedish grocery chain Coop was hit hard by the Kaseya attack. Photo / AP
Hands up everyone who had heard of Kaseya before the weekend ransomware attack?
Non-geeks might assume it's the name of a dairy or cheese produce outfit, but no, it's a company that makes remote monitoring and management software or RMM.
Kaseya's Virtual System Administrator (VSA) RRM is used byManaged Service Providers or MSPs, which makes for an acronym soup but describes a model whereby businesses outsource their IT needs to shops that specialise in the verisame.
Why? Because setting up and keeping on top of rapidly changing IT environments isn't easy.
You need dedicated and experienced staff who are hard to find for that and they need costly resources and funding.
If IT isn't your core business, outsourcing the geeky stuff to an MSP makes sense. They should be able to keep software and hardware up to date, which in today's threat-dense interconnected world is an absolute requirement.
If you run your own systems and miss a patch on the ones that are reachable from the internet, chances are that it's game over for your organisation. Digital criminals and other miscreants scan for internet connected services with known flaws or which are misconfigured.
The above is all good and great until something goes wrong like it did with Kaseya last Saturday. It's a developing story and security researchers haven't yet worked out all the details but an associate of the REvil ransomware criminals managed to subvert an auto update for Kaseya VSA instances that MSPs were running themselves.
Indications so far are that the attackers didn't have to do anything particularly clever, and were able to simply exploit a file upload vulnerability.
Auto-updates are great until they're not. Especially not when they contain REvil ransomware and are being distributed to a yet to be established number of MSP customers all in one go.
One reason the attack was so successful is that as noted by security researchers, Kaseya's VSA software required specific folders on the computers to be excluded from anti malware scanners.
This is done for a range of reasons, mainly to avoid performance slowdowns as the anti-virus utilities open lots of files to scan. Kind of legit, but it did mean that the folders into which the REvil encryptor and scripts were dropped weren't scanned for malware.
Keeping software and hardware up to date in today's threat-dense interconnected world is an absolute requirement. Photo / 123RF
Maybe the criminals knew this, maybe not. Either way, there was nothing to stop the malware from encrypting user files. To make doubly sure that the attack would go undetected, the attackers ran scripts to quietly hobble the built-in Microsoft Defender anti-malware system as well.
Victims hit include businesses small and large in 17 countries, like some schools in New Zealand and the Swedish Coop grocery chain which had to close hundreds of stores. REvil claims the Kaseya attack encrypted over a million systems. This seems like an empty boast and there have been no indications yet as to the actual numbers.
However, in Australia, one MSP owned up to 300 customer sites being hit by ransomware. That's sites which often have several computers, so the number of encrypted machines is likely to be in the tens of thousands.
There are some glimmers of hope here. Apparently REvil did not copy over sensitive data from victims, although that's yet to be confirmed. The malware attack also appears not to have deleted special files in Windows, and these could be used for restoring data.
Attacks on MSPs are nothing new and there will be worse to come. Ransomware victims are paying up. This coupled with continually vulnerable IT systems ensures that the criminals' business model will remain viable for some time yet.
The irony here is that the victims didn't do anything wrong per se by leaving the management of their IT to the pros. Sleeping with one eye open, minding your networked computers to ensure that all important patches and updates were applied in a timely fashion is for the birds.
By definition, MSPs are trusted sources and there to protect their customers. The ransomware raiders however laughed at that notion, and waltzed right through the defences.
Having been burnt by anti-malware software and other expensive defence systems letting them down, to a point that their businesses are threatened, the Kaseya attack shows that whatever we're doing in terms of security is just wrong. Maybe it's time to rethink how we do IT, and shut everything down for a few days to fix up the worst of the problems?
