Huge ransomware attack hits hundreds of US businesses

Soupreme

Posts: 33   +2
Staff
A hot potato: A ransomware attack has hit hundreds of businesses across the US, in a supply chain attack that targets Kaseya's VSA system management platform (used for remote monitoring and IT management). While Kaseya claims less than 40 of over 36,000 customers were affected, the targeting of large managed service providers has led to vast numbers of clients further downstream being hit as a result.

Kaseya states that it was made aware of a security incident around noon on Friday, as a result they put its cloud services into maintenance mode and issued a security advisory advising that all clients with a local VSA server to shut it down until further notice, as "one of the first things the attacker does is shutoff administrative access to the VSA." Kaseya also notified the FBI and CISA as well as started its own internal investigation.

The company's second update stated that the shutdown of cloud VSA was done solely as a precaution, and that customers using their SaaS servers "were never at risk." However, Kaseya also said that these services will remain suspended until the company determines it is safe to resume operations, and at the time of writing the cloud VSA suspension had been extended further to 9am ET.

How infected systems look. Image: Kevin Beaumont, via DoublePulsar

Ransomware gang REvil appear to have their payload delivered via a standard automatic software update. It then uses PowerShell to decode and extract its contents while simultaneously suppressing numerous Windows Defender mechanisms such as including real-time monitoring, cloud lookup, and controlled folder access (Microsoft's own built-in anti-ransomware feature). This payload also includes an older (but legitimate) version of Windows Defender, which is used as a trusted executable in order to launch a DLL with the encryptor.

It's not yet known if REvil is stealing any data from victims before activating their ransomware and encryption, but the group is known to have done so in past attacks.

The scale of the attack is still unfolding; supply chain attacks like these that compromise weak links further upstream (instead of hitting targets directly) have the potential to wreak havoc on a broad scale if those weak links are widely used -- as Kaseya's VSA is, in this case. Furthermore, its arrival on the weekend of 4th of July seems to have been timed to minimize the availability of staff to deal with the threat and slowing the response to it.

BleepingComputer initially stated that eight MSPs had been hit, and that cybersecurity firm Huntress Labs knew of 200 businesses compromised by the three MSPs that it was working with. However, further updates from John Hammond of Huntress show that the number of affected MSPs and downstream clients is far higher than those first reports and continues to grow.

Demands have varied wildly. Meant to be paid in cryptocurrency Monero, most ransom appear to start at $44,999, but they can go all the way up to $5 million. Similarly, the due date for payment -- after which the ransom is doubled -- also seems to vary between victims.

Of course, both figures are likely to depend on the size and scale of the target effected. REvil, which US authorities believe has ties to Russia, got $11 million out of meat processors JBS last month, and demanded $50 million from Acer back in March.

Masthead image: Bleeping Computer

Permalink to story.

 

hahahanoobs

Posts: 3,596   +1,710
Kaseya should spend less time trying to downplay the event, and get to work making sure it doesn't happen again. I don't know if these companies are intentionally using weak security or what, but whatever they are doing, they better put a ton of money in a defense ASAP.

I can only hear so many of these attacks happening in short intervals before I just shake my head and move on to the next article. It seems like too many people are waiting until it happens to them before doing something about a defense.
 

wiyosaya

Posts: 6,366   +4,675
Kaseya should spend less time trying to downplay the event, and get to work making sure it doesn't happen again. I don't know if these companies are intentionally using weak security or what, but whatever they are doing, they better put a ton of money in a defense ASAP.

I can only hear so many of these attacks happening in short intervals before I just shake my head and move on to the next article. It seems like too many people are waiting until it happens to them before doing something about a defense.
Yes. It seems like for many companies, security is an afterthought. Profit is their chief aim and forget, more like F, security. Just like IoT devices. :rolleyes:

IMO, they have only themselves to blame for leaving a gaping hole in their service.
 

mountains

Posts: 36   +53
So the conventional wisdom of unquestioned "auto updates" and "always connected" seems to be part of the problem here. Just wait until a semi-nation state sponsored hacking group gets into MS auto updates. Or self driving cars. Or IoT. Or...?

Modern consumers need a guaranteed way to temporarily disconnect from the world on demand. A physical switch. Just like we had to temporarily disconnect from each other during the pandemic.

And when we disconnect stuff (our games, cars, O/S, everything) should still work in our own private walled gardens. This hack, while large, is nothing like what would happen during a real global conflict.

This is what consumers, led by us technologically inclined here, need to demand.
 

kiwigraeme

Posts: 460   +354
Monero is a great currency - why people are buying and investing it in all the time - lately we have lots of people buying 5 million dollars worth at a time - If it was a ponzi scheme - these people would not be investing in it - so take that you doubters
 

Vanderlinde

Posts: 44   +36
Geezus; hire someone who's expert on security hardening. That company should go bankrupt for making this happen (shoving up signed updates with malware payloads).
 

Bullwinkle M

Posts: 548   +438
So the conventional wisdom of unquestioned "auto updates" and "always connected" seems to be part of the problem here. Just wait until a semi-nation state sponsored hacking group gets into MS auto updates. Or self driving cars. Or IoT. Or...?

Modern consumers need a guaranteed way to temporarily disconnect from the world on demand. A physical switch. Just like we had to temporarily disconnect from each other during the pandemic.

And when we disconnect stuff (our games, cars, O/S, everything) should still work in our own private walled gardens. This hack, while large, is nothing like what would happen during a real global conflict.

This is what consumers, led by us technologically inclined here, need to demand.

Auto Updates are not a problem
I have never used Microsoft Security updates for Windows XP-SP2

Always connected is also not a problem
I have been connecting with Windows XP for 7 years now without a single malware problem

I study malware and ransomware online and never have a problem while running Windows XP
Others, just like like you have a never ending stream of problems regardless of which OS you use or how often you update

We have had the answer to malware and ransomware for years now but who is listening?
WHO?
 

arrowflash

Posts: 459   +495
Like always, auto updates breaking things and causing huge losses. Now imagine if instead of some little known remote access software, the attackers had managed to insert a payload on the Windows Update servers.

Despite all that, even among the TS public who should know better, there are lots of people who still use and defend the entire automatic updates paradigm.