Kaseya provides a platform for MSPs to use remote software management tools, such as performing updates. It has been dubbed a supply chain attack, in that REvil hit Kaseya and breached its software, infected Kaseya’s clients through an update, and got access to thousands of businesses through those MSP clients.
“I suspect as most people come back to work today they’ll start to see there are issues. I think MSPs are already well aware that they have an issue that they’ve been impacted, but it will be the MSP customers as well,” Mr Lemon said.
The attack is under investigation by the Australian Cyber Security Centre.
On Monday morning, on one of REvil’s shaming websites on the darkweb the ransomware group took credit for the attack, and alleged more than a million systems have been infected globally, and claiming to have a universal decryptor for stolen data for sale.
Ransomware attacks are generally motivated by financial gain. Attackers hack into a network or system, extract private and sensitive information and then demand money from a company or individual in return for not releasing stolen data, or allowing access to encrypted computer systems.
There have been reports of ransom demands ranging between $US40,000 ($52,198) and $US5 million.
The incident will undoubtedly be at the top of the list for the newly-formed Australian Federal Police ransomware taskforce, revealed by the The Australian Financial Review last month. The AFP taskforce is working with the ACSC and Australian Criminal Intelligence Commission (ACIC) in efforts to unify an approach to tackle ransomware operators.
Security firm Huntress Labs, which has been documenting the attack as it has unfolded, said it was tracking around 30 MSPs across Australia, the US, Europe and Latin America where the Kaseya breach was used to encrypt over 1000 businesses.
“There has been targets in Australia, but that list of people who’ve been impacted is still being gathered,” Internet 2.0 co-founder and security consultant Robert Potter said.
“Ransomware groups were already flying too close to the sun. They’re going to get themselves beaten up.”
Mr Potter said when ransomware groups are hitting a couple of companies a week, the attacks are largely soaked up. But, an incident at this scale will draw a global government response.
“The broad nature of the attacks we’ve seen that before, but I don’t think we’ve ever actually seen a ransomware campaign in the non-government space anything like this size before.”
CrowdStrike Intelligence senior vice president Adam Meyers said based on his firm’s telemetry that the attack on Kaseya had the hallmarks of a threat actor it calls Pinchy Spider, operator of the REvil ransomware.
“Make no mistake, the timing and target of this attack are no coincidence. It illustrates what we define as a Big Game Hunting attack, launched against a target to maximise impact and profit through a supply chain during a holiday weekend when business defences are down.”
Mr Meyers said the reported numbers of victims from the attack are likely to be just the tip of the iceberg.
“The continued success of large software supply chain attacks provides an ominous outlook for organisations of all sizes as threat actors observe how profitable and wide ranging they can be,” he said.
“Organisations must understand that these headlines are no longer warnings, but are a reality of what is in their future if they have not established a mature cybersecurity strategy.”
In May, ransomware operator DarkSide attacked the Colonial Pipeline in the US, forming the company which runs major US oil pipelines across the American east coast, to shut down all four of its major pipelines. The attack prompted a major hit from the US government, which ended up recovering $US3 million of the $US5 million ransom paid.
In attacks prior to latest incident, at least seven Australian businesses had been hit by the same ransomware, known as REvil, that stopped operations at JBS Foods. Suspected to have come from a group in Russia, the ransomware crippled the meatworks business in Australia and the US, leaving about 7000 meatworkers in Australia stood down without pay until the issue could be partially resolved.
ASD boss Rachel Noble told a parliamentary hearing in June that helping Nine Entertainment, which was hacked in March but did not pay a ransom, allowed the ACSC to warn two other organisations that were being targeted by the same cyber criminal group.
Recent Comments