In what is considered to be the largest ransomware attack in history, a group of hackers have compromised at least 1000 companies in a stunning Fourth of July attack.

What

At the center of this cybersecurity breach, which has hijacked over 1000 companies across all five continents, lies a relatively small Florida-based tech firm called Kaseya. Just as the US was gearing up for a long holiday weekend, a group of hackers planted ransomware on one of Kaseya's software products which was then spread to their customers around the world.

Ransomware is a special form of malware which holds the victim's data ‘ransom' until a fee is paid to the hackers. In this case, the hackers have demanded payments ranging from $500,000 and $5,000,000, to be paid in Bitcoin. If and when the victim pays up, they receive a ‘key' which allows them to decrypt their devices and return to business as usual.

Unfortunately, this particular attack was extraordinarily devastating. The victim, Kaseya, specializes in providing software tools to other IT service providers, who in turn service tens of thousands of organizations worldwide. In this way, a single breach in Kaseya's network was capable of implicating millions of users around the world, many of whom had no idea that they were relying on Kaseya's software in the first place.

This in turn enabled the hackers to not only ransom Kaseya's own data, but to also demand payment from client organizations worldwide. These included a Swedish grocery chain that was forced to close 800 stores, as well as schools in New Zealand and several large IT providers in Germany and Holland.

Who

The group which executed this attack is known as REvil and is best known for their recent attack on the JBS meat-processing plants over the Memorial Day holiday back in May. The group is based in Russia and served as a point of contention during President Biden's meeting with Putin in Geneva last month. During that meeting, President Biden urged Russia to crackdown on domestic cyber-terrorists, and indicated that a lack of action on Russia's part would be met with consequences.

While it's assumed that REvil does not receive direct aid from the Russian government, many believe that Putin's administration chooses to turn a blind eye to these attacks, in exchange for an understanding that Russia, as well as countries in the former USSR, will not be attacked.

During a meeting with reporters over the weekend, President Biden stated that the U.S. would respond if it was determined that the Kremlin is at all involved. In addition, he's asked the intelligence community for a "deep dive" on what happened. All this is to say that while REvil itself is a private group, continued provocations could potentially lead to a significant international escalation and multi-lateral conflict.

How We Can Help

Once immediate triage has been completed, Silent Breach can help conduct a full audit of your infrastructure to determine whether you or any of your suppliers rely on Kaseya's software and, if so, whether you've been implicated in the breach.

Our security team is fully briefed on the REvil's strategies, IOCs, and fingerprints. This ensures that if there is anything to be found, we'll be able to locate it. This is particularly important with attacks of this level of sophistication, where extreme care is spent not only in penetrating the target, but also in hiding all traces of an attack.

At the same time, it's important to evaluate the risks and impacts of a potential attack. Importantly, even if Kaseya mitigates their own vulnerabilities, attackers may still retain access to your networks. Consequently, a BIA and Cyber Incident Response Plan must be created, reviewed, and/or evaluated in tandem with the above security audit.

In the event that malicious activity is identified on your network, our forensics team will be able to carefully capture and preserve that evidence for further analyses and legal processes. And, in either case, a full report detailing steps taken, discoveries made, and recommended mitigation steps (both short term quick wins and a long term roadmap) will be compiled for internal guidance as well as external stakeholder reassurance.

For more detailed descriptions of Silent Breach's Incident Response programs, please see our Incident Response and Managed Response pages. Or, for more information on how your organization may be impacted by the Kaseya Hack or for additional guidance, please contact Silent Breach at contact@silentbreach.com.


Additional Resources:
Are the JBS and Colonial Pipeline attacks just the beginning?
US Companies Struggle To Notice When They've Been Hacked
How Hackers Briefly Poisoned Florida's Water Supply