The Kaseya ransomware attack occurred through the exploitation of CVE 2021-30116, an authentication bypass vulnerability within Kaseya VSA servers. This allowed the hackers to circumvent authentication controls and executive commands via SQL injection, giving them all the control they needed to deploy their ransomware payload and encrypt a segment of Kaseya's internal data.

In addition to compromising Kaseya's customer database, the hackers also targeted several of Kaseya's clients by pushing out the ransomware payload within a seemingly innocuous software update - a tactic that's synonymous with the advanced methods used in the SolarWinds hack.

Kaseya was intentionally targeted because it offers IT solutions to Managed Service Providers (MSPs) offering IT support to under-resourced businesses. It's estimated that almost 2000 businesses across 17 counties were impacted by the attack. Many infections spread through firms remotely managing IT infrastructures for multiple customers, making this event the biggest supply chain ransomware attack on record.

Kaseya ransom message
Kaseya ransomware message - Source:

Who was Responsible for the Kaseya Ransomware Attack?

Russian-linked ransomware gang REvil claimed responsibility for the attack on a dark web forum, boasting that over one million systems were infected with their ransomware. The ransomware gange also offered a decryption key to reinstate access to all seized systems for $70 million in cryptocurrency.

REVil announcing responsibility for Kaseya ransomware attack
Image source: Twitter user @darktracer_int

REvil (also known as Sodinokibi) is the same cybercriminal gang likely responsible for the mammoth Medibank data breach

Kaseya security report

See how your organization's security posture compares to Kaseya's.

View Kaseya's security report.

How to Avoid an Incident like the Kaseya Ransomware Attack

Your business could avoid falling victim to a security incident similar to the Kaseya Ransomware attack by adjusting your cybersecurity efforts to the following key learnings.

1. Expect to be Attacked During the Holidays

The Kaseya ransomware attack occurred during the July 4th weekend. Cyberattacks, especially ransomware attacks, tend to spike over holiday periods, with hackers taking advantage of leaner staffing numbers during the lull of business demand. 

With fewer IT and security staff on call, cyber threats are harder to intercept and contain after a network breach. Less security staff also makes it harder to support staff contending with a potential phishing threat - the primary initial attack vector for ransomware.

Implementing a zero-trust architecture will keep your cybersecurity program primed for imminent data breaches at all times, even while you're mentally unplugged on that long-awaited holiday. 

Learn more about Zero Trust >

2. Download the Kaseya VSA Detection Tool

With the impact of this attack specifically designed to proliferate across the supply chain, it's difficult to predict how far REvil's indicators of compromise have spread and how many systems are still vulnerable to compromise, despite this incident occurring in July 2021.

The presence of any indicators of compromise linked to this ransomware attack can be detected with this Kaseya VSA detection tool.

If you have a scanning solution in place, update it to include this list of CNC domains believed to be linked to Kaseya.

Is your business at risk of a data beach?

3. Implement Controls for Reducing the Impact of Ransomware Attacks

By implementing security controls across all of the major milestones of a ransomware attack pathway, the progression of an attack could be stopped or, at the very least, slowed down enough to be intercepted before sensitive resources are breached.

The ransomware attack lifecycle can be broken down into eight primary phases.

  • Phase 1 - Phishing Attack
  • Phase 2 - Victim Interaction
  • Phase 3 - Account Compromise 
  • Phase 4 - Privilege Escalation 
  • Phase 5 - Lateral Movement
  • Phase 6 - Data Exfiltration
  • Phase 7 - Data Encryption
  • Phase 8 - Data Dump
ransomware attack lifecycle

A list of suggested security controls corresponding to each of the phases are as follows:

Phase 1 - Phishing Attack

Security controls:

  • Security awareness training.

Phase 2 - Victim interaction

Security controls:

  • Web proxy
  • DNS Logs
  • Endpoint Security

Phase 3 - Account Compromise

Security controls:

  • Multi-Factor Authentication

Phase 4 - Privilege Escalation

Security controls:

  • Privileged Escalation Management
  • Zero-Trust Architecture
  • Password Manager
  • Multi-Factor Authentication

Phase 5 - Lateral Movement

Security controls:

  • SIEM
  • Zero Trust
  • Data Loss Prevention

Phase 6 - Data Exfiltration

Security controls:

  • Network Segmentation
  • Privileged Access Managemen
  • Data Encryption

Phase 7 - Data Encryption

Security controls:

  • Data backups

Phase 8 - Data Dump

Security controls:

  • Ransomware blog data leak detection.

Learn how to secure the ransomware attack pathway >

Ready to see
UpGuard in action?