Is Your NE Ohio IT Company Running Kaseya VSA?
Just as many businesses and organizations were trying to put the recent string of ransomware attacks behind them, another ransomware attack took place. The REvil ransomware group carried out a weekend attack against over 30 managed service providers (MSPs). Over the weekend, reports starting to pour in estimating that thousands of companies had their servers encrypted by ransomware. The attack on Kaseya has already been compared to the SolarWinds supply chain attack. As of July 5, 2021, reports have been made that the REvil ransomware group’s ransomware demands have reached $70 million.
ARCIS clients are not impacted by this recent cyberattack on Kaseya. Your NE Ohio business is safe when you partner with ARCIS as your trusted IT service provider.
Kaseya VSA is a cloud-based management and monitoring solution for businesses of all sizes. Kaseya VSA provides tools and functionalities to Managed Service Providers (MSP) and IT enterprises, allowing them to efficiently and effectively manage and secure their IT capabilities. Kaseya VSA also allows vendors to perform client monitoring and patch management for their customers. Kaseya VSA is often described as a Remote Monitoring and Management (RMM) application. Kaseya VSA is commonly used among Managed Service Providers because it allows them to outsource key actions rather than doing it themselves.
What are Managed Service Providers?
Not every business has the resource capacity or the financial capacity to have a dedicated IT team. Managing servers, networks, workstations, etc. can be a complicated and frustrating task and the price of failure can be damaging to a business, regardless of the size. To avoid major damages to a business operation, many businesses prefer to use a Managed Service Provider, a company that will take care of all the complicated IT tasks.
There are various details that will need to be maintained to run an efficient and effective IT system, but not every business is able to put together a full-time IT staff. Since so many businesses use MSPs to outsource their IT responsibilities, many MSPs will automate as many tasks as possible so they can administer multiple networks at one time.
What happened in the Kaseya VSA attack?
Thousands of companies were hit with a supply-chain ransomware attack after the REvil ransomware group exploited a vulnerability in the software. Kaseya and the U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued notices advising all businesses and organizations to review the advisory released by Kaseya and shut down any servers that were running VSA.
After the initial attack, it was suspected that less than 10 MSPs and less than 300 businesses were hit with ransomware as a result of the Kaseya exploit. However, as the weekend rolled on, it was determined that more than 30 MSPs were hit, resulting in millions of companies being affected by the ransomware attack. The cyberattack against Kaseya has been so damaging that it forced a Swedish grocery store chain to close 800 stores.
The attack on Kaseya could have allowed the attackers to do the following:
- Gain full remote access to workstations and servers
- Obtain confidential and sensitive information
- Install malware
- Add accounts
- Delete data, remove administrative access, and hold an entire business or organization hostage
What could be the full impact of the Kaseya attack?
Due to the mass ransomware campaign using a supply chain attack or by directly attacking a high number of Kaseya installations, the ransomware was deployed onto the computers of MSP customers. Each victim of the attack is a small or medium-sized business that was relying on the services of the MSP to keep their operations running smoothly. Unfortunately, many of those businesses have already discovered or will soon discover their computers are inoperable and/or their data is lost forever. As mentioned previously, backups are often targeted by ransomware groups, which means many businesses that were targeted by the attack have already lost data. Even for the victims who will still have their data, they can anticipate a downtime of days or weeks.
What should you do?
ARCIS Technology Group encourages all businesses and organizations to quickly check and determine whether they or their MSP uses the Kaseya remote management tool. If any business or organization is currently running Kaseya, there are actions that need to be taken, including the following:
- Disconnect any devices and systems that are still connected to Kaseya VSA
- Check the backups and/or backup servers to ensure they are working properly and cannot be overwritten. Most ransomware attacks will target backups/backup systems when endpoint data is encrypted
- Build and mature a threat hunting program
- Secure your networks using an IDS/IPS application tool
- Implement a Next-Generation Endpoint Detection and Response Solution like SentinelOne.
- Follow Kaseya’s recommendations including searching any Indicators of Compromise(IoCs)
If you have been impacted and need assistance the ARCIS team is happy to help you or your local IT service provider. Please call our office at (330) 236-1011.
What happens next?
Unfortunately, the world has seen its fair share of high-profile ransomware attacks in a short timeframe. When ransomware attacks happen, there are always unanswered questions left behind as businesses are left to pick up the pieces. The damage that has been done already with the supply chain attack is already high. There is an anticipation that this attack will spark more conversations and debates about cybersecurity, and more conversations will be made about how to put an end to the REvil ransomware group.
Amidst the chaos surrounding a ransomware attack, the blame game begins. Unfortunately, debates always spark about whose to blame after these types of attacks. However, the fingers should not be pointed at Kaseya for being the recent victim of a massive ransomware attack. Any supplier of administration tools will be viewed as a target for ransomware groups, and this proved to be the case over the weekend. SolarWinds is an AD management tool, and it was also the victim of an attack.
It is unfortunate that ransomware has turned businesses of all sizes upside down in a matter of days, but it is promising to see the support and guidance that have been extended to those who were attacked over the weekend. While this is still a developing case, we anticipate more information to be released on Monday, July 5th, and in the coming days.
Please do not hesitate to reach out to ARCIS Technology Group today if you need assistance.