Kaseya: Up to 1,500 Organizations Hit in Ransomware AttackSoftware Vendor Quiet on Whether It Might Pay for REvil's Full Decryption Tool
Software vendor Kaseya said late Monday that it believes 800 to 1,500 organizations - mostly small businesses - were compromised via the sweeping ransomware attack that exploited its VSA remote IT management software.
Up to 60 of its own customers were compromised, Kaseya said in an update posted late Monday. Those customers supply IT management services to others, which comprise the up to 1,500 organizations that it suspects will have been affected by the attack.
The numbers help put into focus the scope of the attack, which used ransomware code developed by a suspected Russian or Eastern European group called REvil, aka Sodinokibi. Kaseya says in a separate news release that the types of businesses affected include dentists' offices, small accounting offices and restaurants.
The REvil group - or attackers affiliated with it - claims to have compromised 1 million organizations. On Monday, it began offering a single, universal decryption tool - that it said would decrypt all victims' files - for $70 million in bitcoins. But cybersecurity expert Jack Cable tweeted later that day that the asking price may have already dropped to $50 million, suggesting that victims haven't been collectively rushing to pay (see: Kaseya Attack: REvil Offers $70 Million 'Universal Decryptor').
REvil is now asking for $50 million (lower than previously reported $70 million). Quickly lowering prices makes me wonder if they're getting desperate. pic.twitter.com/crbubdw48g— Jack Cable (@jackhcable) July 5, 2021
Whether Kaseya or others should pay for a universal decryptor is a tough call, says Jake Williams, who's CTO of Rendition Infosec, an Atlanta-based information security consultancy, and CTO of Dallas-based incident response firm BreachQuest.
"On the one hand, part of me would love to see Kaseya step up and pay on behalf of its customers," Williams says. "On the other hand, if Kaseya does pay, it will definitely set a precedent that will likely spur more attacks like this, hoping the other vendors follow suit."
Kaseya CEO Fred Voccola on Monday told Reuters that he has "no comment on anything to do with negotiating with terrorists in any way." A Kaseya spokeswoman tells Information Security Media Group that Kaseya has cyber insurance. Some cyber insurance policies will cover paying ransoms, but it's unclear to what extent such a policy might cover paying ransoms for Kaseya's MSP customers, or those MSP customers' clients.
On-Premises Patch Coming
The ransomware attack involving subverted Kaseya software is the latest supply chain hit to have caught businesses and governments off guard (see: Biden Orders Investigation of Kaseya Ransomware Attack).
Kaseya says it detected the attack involving its software on Friday after attackers issued a bogus software update for the company's on-premises version of VSA, which is used by Kaseya's customers to manage the IT systems of their clients. The attackers used VSA's distribution mechanism to push ransomware onto the systems of hundreds of downstream organizations.
Kaseya might have avoided the attack entirely if it had rolled out in-progress patches more quickly. The company had already been warned about software vulnerabilities in VSA by Dutch researchers and was working on fixes when the ransomware attack occurred. It's unclear if attackers learned about the vulnerabilities precisely because they'd already been camped out in Kaseya's network for weeks or months, were spying on internal communications, and thus learned of the flaw and accompanying remediation efforts. If so, they would obviously have timed their attack to exploit the flaws before it knew they were due to be fixed. (see: Kaseya Was Working on Patches Before Ransomware Attack).
A patch for the vulnerable, on-premises version of VSA, now undergoing testing and validation, is due to be released by 5 p.m. EDT on Wednesday, Kaseya says. The company plans to first restore its software-as-a-service servers - scheduled to happen before 5 p.m. EDT on Tuesday - which it took down when the attack came to light, just in case they were at risk; the company says no SaaS customers were hit by ransomware.
On Monday, Kaseya also issued a new security advisory confirming the specifics of the attack, as multiple security firms and researchers had already deduced. Namely, attackers targeted zero-day vulnerabilities in VSA software to bypass authentication and run arbitrary code. "This allowed the attackers to leverage the standard VSA product functionality to deploy ransomware to endpoints," the company says. "There is no evidence that Kaseya's VSA codebase has been maliciously modified."
Recovery: 'Slow and Manual'
Although hundreds or thousands of organizations have been affected, many have yet to be publicly revealed. But one prominent company, the Coop grocery chain in Sweden, was forced to shut down hundreds of stores after its point-of-sale devices became infected.
Swedish managed service provider Visma EssCom, which manages Coop's cash registers, on Saturday issued a statement confirming that as a result of the ransomware attack, none of the registers were functioning. Visma EssCom says it immediately dispatched IT personnel to manually update all affected devices across the country. While that process could take days to complete, by Saturday evening, systems at some Coop stores in Stockholm had been restored and were again functioning.
Separately, Radio New Zealand reported on Monday that a nonprofit kindergarten association in that country was affected, resulting in systems used by 100 kindergartens going offline. Also, 11 schools were affected, although two of the schools had not used Kaseya in some time, the broadcaster reported.
The up to 1,500 organizations affected by the ransomware attack will face numerous challenges, including many likely having no idea how they've been affected, says Fabian Wosar, CTO of Emsisoft, a security company that researches ransomware.
Kaseya is "just what their chosen MSP picked to manage their clients' infrastructure," Wosar says. "Not paying the ransom would almost certainly mean a sizable number of affected businesses would have to go out of business - through arguably no fault of their own."
But some organizations may be able to recover their data. Sophos, which published a comprehensive blog post on Sunday, found that the attackers did not delete volume shadow copies, a backup feature in Windows.
Volume shadow copies can be used to restore about 95% of files, with the exception of files such as network shares and USB keys, says Dmitri Alperovitch, chairman of the Silverado Policy Accelerator and the former CTO of CrowdStrike. But some organizations may have turned it off, meaning they would have no volume shadow copies of their data, he says.
Paying for a decryption tool from the REvil actors won't speed up any affected organization's response, Alperovitch says. For example, Colonial Pipeline Co., which supplies fuel to the U.S. East Coast, paid $4.4 million in bitcoin to the DarkSide group for a decryption tool, but found that using its own backups was faster and more reliable (see: Colonial Pipeline CEO Confirms $4.4 Million Ransom Payment).
In either case, Alperovitch says, "restoration will be slow and manual."
Executive Editor Mathew Schwartz contributed to this report.