Kaseya, MSPs are the latest ransomware victims

Image by Michael Geiger

A ransomware attack on software firm Kaseya last July 2 has possibly affected over 1,000 businesses.

In its advisory and further updates regarding the incident, the Miami, Florida-based company said the attack has been limited to “a very small percentage” of on-premises customers using its VSA remote monitoring software. This number is estimated at fewer than 40 worldwide.

However, cybersecurity company Huntress Labs said in a Reddit post that it is working with “many” of the managed service providers where VSA was used to encrypt the files of over 1,000 businesses. The affected businesses were left with ransom notes, asking for payments ranging from thousands to millions of dollars.

In the same Reddit threat, Huntress Labs revealed that REvil, a Russia-associated ransomware-as-a-service organisation, is demanding $70 million to decrypt their victims’ files. REvil is one of the most infamous ransomware groups worldwide, responsible for dozens of major breaches since 2019.

Occurrences of ransomware have increased

Lotem Finkelstein, Head of Threat Intelligence, Check Point Software Technologies, commented on the incident, saying: “Ransomware attacks have grown over the last 12 months by 93%. North America saw a 32% increase of attacks in the last six months. I don’t think we’ve seen the peak for ransomware attacks. The influx of these breaches are only going to get worse. The threat actors behind ransomware aren’t just becoming bigger, they’re becoming better at what they do.”

“In Singapore, the attacks have increased by 40% in the last 2 months, 99% in the last 6 months, and 147% in the last 12 months. In Malaysia, the attacks have increased by 24% in the last 2 months, 90% in the last 6 months, and 261% in the last 12 months.”

Detection is the answer

Lior Div, CEO and co-founder at Cybereason, a cybersecurity technology firm, weighed in as well: “The global Kaseya attack is a reminder that the public and private sector need to change the way cyber conflict is fought. The truth is that attackers still enjoy the advantage. The goal isn’t to block and prevent all attacks. The goal is to quickly detect suspicious or malicious activity, and ensure you have the visibility, intelligence, and context to understand and remove the threat.”

“We need to shift focus from dealing with ransomware after the fact to disrupting the earliest stages of attacks through behavioral detections. This is the operation centric approach to cybersecurity. We can’t just focus on the ransomware attack; by then it is too late. Look at the earlier stages of the attack when criminals are inserting malicious code into the supply chain, for instance. The ransomware is the symptom of the larger disease we need to treat,” said Div.

Div does not believe in paying ransoms. “Our recent research study found that 80% of companies that paid a ransom were hit a second time. Overall, paying ransoms only emboldens threat actors and drives up ransom demands. Still, whether or not to pay a ransom is an individual choice each company needs to make. Consult with your legal team, insurer, and law enforcement agencies before making any decision. In those rare life-or-death situations, paying a ransom could very well be the right decision,” said Div.