What Is the Kaseya Ransomware Attack?

A flood of ransomware victims were hit the Friday before July 4th, this time all at once by leveraging a remote monitoring and management ("RMM") solution named Kaseya. Over 1,500 companies, including a grocery store coop, several schools, various small businesses and startups, and even a railroad company are known to have been affected, causing several to have to shut down operations.

Kaseya, the "RMM", is a tool used by managed service providers to remotely manage client devices. These MSPs are often used by smaller-sized companies to outsource IT services.

Hackers in this case exploited vulnerabilities in Kaseya's software update process, similar to the Solarwinds attack last December, to upload their ransomware program.

Attacks like this one, dubbed "supply chain attacks", are becoming a more frequently used strategy by ransomware gangs to distribute malicious code designed to extract payments from victims of all sizes. By focusing on breaching a distribution method like Kaseya's software, they're able to take down hundreds or even thousands of endpoints before being suppressed effectively by anti-virus and malware defenses.

Cybersecurity Steps Your Company Should Take Now

This type of attack proves that startups and small businesses can be targeted and affected by sophisticated attackers. Through the conduit of modern IT infrastructure and the plethora of vulnerabilities that exist, malicious actors are increasingly becoming victims of a strategy that breaches one provider but affects many small related companies.

If you use Kaseya

If your MSP runs Kaseya, or you're using it directly, disabling the software immediately is your best course of action as the investigation is underway. While Kaseya has shown a genuine commitment to responding to the attack, a patch for the malicious update is still in the works and as-of-yet undiscovered avenues may exist to exploit the attacker's existing access. Reach out if you need help disabling Kaseya.

‍

5 Proactive Security Tasks To Avoid A Ransomware Attack

RMM and related device management software can be wonderful tools to quickly and effectively respond to new threats by regularly rolling out security patches, configuring devices securely, etc. The irony is that they can also be used in attacks such as this to enable malicious actions such as the installation of ransomware.

The strategy of "Defense in Depth" should be leveraged by companies wishing to prepare for the next supply chain type or other increasing types of attacks. This strategy employs multiple security controls across the organization, and in various "depths", or layers of your technology and human processes in order to thwart an attacker that might make it through one of those layers from achieving their final goal.

‍

We recommend employing each of the following high-impact controls to defend against these types of attacks:

1. 1. Antivirus and Anti-Malware. These programs should be business-grade and installed on every device under company control. While some attacks will make it past these programs, several will be stopped in their tracks at the door here. Don't rely on consumer solutions or OS-installed guards. These can't be managed like a business-grade solution and often don't receive the same speed of updates to detect fresh threats.
2. Email security. Email is the #1 delivery mechanism of malicious programs like ransomware. While your email provider like Google Workspace or Office 365 will catch many threats, some sneak through weekly. Using additional email security tools such as Havoc Shield's Mail Armor suspicious message review service give your employees a resource for responding confidently to messages they identify as suspect.
3. OS and Software Updates. While this specific attack exploited an update process, that doesn't make keeping your software patched any less important. Ensuring your operating system is set to automatically update and using a patch management tool to ensure critical software receive updates as soon as they're available will keep a huge category of threats at bay. MSPs should do this for you, and Havoc Shield includes an automated patching service to take the process of your plate.
4. Backups. It's more a question of When, not IF a cyberattack or breach will occur at your company. Someone will click a link they shouldn't have. A vendor like Kaseya will be breached exposing you unknowingly. With that in mind, you must be able to both mitigate the chances of a successful attack and also be prepared to recover from one. Employ a backup solution such as Carbonite or Backblaze to regularly and automatically backup your files. Don't stop there though - ensure you have a practiced procedure for restoring those backups:
5. An Incident Response Plan. When an attack hits, your team should already know what to do, and have practiced doing it before hand. That's not something only large companies need to do, and it doesn't need to be a complicated affair either. At the least, assemble a list of people and activities that need to take place for common types of attacks - ransomware or employee account takeover via phishing are good examples. Practice running through the activities in your incident response plan like restoring backups or locking affected accounts and notifying your cyber insurance provider so that when the real thing happens, you can be back in business quickly. It is never too early to be proactive.

‍

While the above is just the start of a defense in-depth program, its existence will likely save you from many bad days. If you'd like help doing the above and building a cybersecurity program that will enable you to respond and recover more effectively to these accelerating attacks, reach out!

‍

We're available to help at hello@havocshield.com, clicking the blue badge in the bottom-right of any page, or calling 888.HAVOCSHIELD. Stay safe!