On the afternoon of Friday, July 2, reports indicated that the REvil ransomware gang was actively targeting managed service providers (MSPs) who use Kaseya Virtual System/Server Administrator (VSA) to manage the networks of other businesses with a zero-day attack.
The attacks result in system lockups due to ransomware.
Kaseya VSA is a cloud-based MSP platform that allows providers to perform patch management and client monitoring for their customers.
The attack is estimated to have led to the encryption of files for around 60 Kaseya customers using the on-premises version of the platform – many of which are managed service providers (MSPs) who use VSA to manage the networks of other businesses. Approximately 1,500 downstream organizations (customers of MSPs) now affected across ~17 countries. In total, more than 1 million individual systems are estimated to be locked up due to ransomware.
According to security experts, this is the largest ransomware attack to-date.
"Organizations around the world are being held hostage by ransomware, and many are being forced to pay cybercriminals because they're not equipped to combat the threat for varying reasons, from a lack of recoverable backups to the cost of downtime outweighing the cost of paying the ransom," said John Davis vice president of public sector at Palo Alto Networks.
It's clear that the threat of ransomware is not only here to stay, but it is growing.
Shawn Kanady, Director of Threat Fusion & Hunt at managed detection and response provider Trustwave shared 8 areas that security leaders should make sure they're focusing on in order to be able to defend and respond to ransomware:
1. Backup Your Data Have an online backup, but also keep an offline copy of it as well.
2. Inventory Your Systems Conduct an IT audit of your systems. Make sure that anything that’s legacy or something that can’t be patched (like a Windows 2003 server) is isolated and highly monitored because it will be your biggest liability.
3. Conduct Continuous Awareness Training Keep your security awareness training up because humans are the weakest link.
4. Implement a Patch Cycle Program Have a good patch management program when you’re patching within 30 days. Make sure that third-party apps are also patched.
5. Perform Application Allowlisting This is a huge factor in these types of attacks. This goes beyond just ransomware, but even those malicious downloaders. Doing application allowlisting where you have your systems and you only allow the applications that you know about to run on those systems.
6. Deploy an EDR Solution Baselining your systems and keeping aware of any new or rogue processes on your systems will curb those first-stage pieces of malware from going by unnoticed and causing more harm.
7. Secure Email Gateway Solution A strong secure email gateway solution will go a long way in protecting what is commonly the initial infiltration vector by removing malicious emails from the user's mailbox.
8. Initiate a Proactive Threat Hunt To have a great defense in place, sometimes you have to go on the offense. Initiating a proactive threat hunt is a proven methodology to identify ransomware threats.