The IT world is going crazy. Over Independence Day weekend, ReVil ransomware successfully infected the remote monitoring and management (RMM) software, Kaseya. Considering this is one of the top RMM tools MSPs used around the globe, it made the supply chain attack quite impactful. To date, there have been 70 MSPs impacted, resulting in over 1,500 businesses worldwide riddled with ransomware.
How It Happened
The ransomware as a service (RaaS) model, is not a new framework. Instead of the malicious developer working to distribute ransomware, they recruit others to distribute it by selling it to them as a service. Meaning, whatever ransom demands are paid as a result of their efforts, are split between the distributor and the creator.
In this particular case, Kaseya had security holes within their network that were unpatched. It is because of those security holes that the cyber criminals were able to worm their way into the network, and deploy their ransomware coding to their customers. As a result, this was funneled down the supply chain to their MSPs’ customers.
The ransomware only impacted those MSPs that were using the on-premise version of Kaseya. Therefore, the number of potential victims was substantially diminished. Had cyber criminals targeted cloud-based Kaseya users, the numbers would have been far greater.
Learning From Kaseya
This is not the first time MSPs were targeted. In 2019, an MSP was hit with an undisclosed ransomware variant, leading to 2,000 customers being impacted, and the MSP facing a $2.6M ransom demand.
The Kaseya attack took things one step further. Moving up one level in the supply chain meant far more MSPs were infected. It is entirely likely the list of MSPs impacted will continue to grow; as will the number of their customers. Since being informed of the security holes, Kaseya immediately began pushing updates. Unfortunately, they simply were not fast enough.
The key to not being the next Kaseya is simple. Be proactive.
Had Kaseya patched their security vulnerabilities, this attack never would have wormed its way in. But what if they didn’t know about the security holes? Kaseya is a major player in the RMM game. Testing their network with vulnerability software on a regular basis would help shed light on what holes can be exploited. At that point, Kaseya can take the necessary steps to patch them. Finally, layering an application whitelist solution on top of their current security stack, would stop any unknown threats from executing. The application whitelisting approach only permits known, and proven safe applications to run. This approach significantly reduces the risk of falling victim.
Be proactive. Test the networks for security holes with vulnerability testing, then patch accordingly. Layer in a default-deny approach to security, like application whitelisting, and avoid being the next Kaseya.