Kaseya Ransomware Attacks 1 Year Later: Have We Learned?

This July 4th weekend marked the 1 year anniversary of the Kaseya supply chain ransomware attack. We heard from two experts on what the attacks meant for the industry, how organizations learned from the incident, and what we should still expect from ransomware threat actors.


Den Jones, CSO at Banyan Security "The issue last year was not that we lacked sufficient technology or process to prevent an attack like the one against Kaseya and its VSA software a year ago. For example, had device trust been employed along with their authentication system, the attackers would not have been able to circumvent authentication controls and gain access. Adopting a ‘zero trust’ mindset significantly reduces the possibility of both the initial attack (because you’ve prevented an attacker from being able to authenticate), as well as preventing the downstream spread of malicious activity (by adopting least privilege access, thus limiting lateral movement).


While these threats aren’t new, their reach grows when they can successfully attack an MSPs, which acts as a ‘threat multiplier’ due to their reach. And certainly, as MSPs become more pervasive, their attractiveness as a target for attack increases. An unfortunate reality is that these types of attacks often disproportionately affect smaller companies who lack the experience and resources to prevent them.


Small businesses need to know that their size does not afford them any protection from attack. Leveraging a zero trust framework, which removes implicit trust and requires all users to be authenticated, validated, and continuously authorized, ensures that both user identity and device trust are employed goes a long way toward protecting from attack. This added security does not need to be difficult or expensive, and can result in a better user experience."


Tom Badders, Senior Product Manager, Telos Corporation


"Since the chained ransomware attack on Kaseya, numerous ransomware preparedness guidelines and defensive applications have been brought to the market. It's difficult to say how ransomware preparedness will help to stop an attack. Attackers are constantly developing new ways to breach a system. When attackers use legitimate windows processes, such as REvil and their affiliates did with the Kaseya VSA breach, the malware tries to appear benign making it harder for defensive applications to detect.

This is clearly a global problem for a number of reasons. First, the Kaseya breach, much like the Solar Winds breach, not only affects the company being attacked, but is also targeting all of the companies that use their product. Second, organizations like REvil and their affiliates target companies with large cyber insurance coverage, understandably believing they have something critical to protect and have the money to pay the ransom.

Recent news from cyber insurance companies indicate they are not only consistently increasing premiums because of the continued rise in ransomware attacks, but are also classifying high risk companies, such as MSPs as requiring catastrophic insurance – possibly making it easier for these attackers to identify prime targets.

Unfortunately, many of the successful attacks are the result of human error, or companies not implementing basic network security hygiene. Focus on user education on security hygiene is first in the list of things to do. Just as important, or possibly more important, is to use new and evolving technologies and procedures to protect critical assets. Segmentation of critical assets and discrete, need to know access, can significantly reduce the number and type of attack surfaces on these assets.

Like any business that depends on the internet to deliver products and services to their customers, or to receive system updates from its vendors, it must have sufficient malware detection capabilities to ensure any new software update patch is completely vetted prior to distribution into their or their customers’ network.

Another critical aspect of protection is to have a complete inventory of all servers on the network and know exactly how and when to segment them in the event of an attack or perceived attack. The faster they get the affected servers off the network, the sooner they can stop the chain effect."


###