Table of Contents
    Home / Definitions / Kaseya Ransomware Attack
    Security 5 min read

    The 2021 ransomware cyberattack on U.S.-based software solutions company, Kaseya, is known as the Kaseya ransomware attack. The attack affected more than 2,000 organizations around the globe. Read on to learn more about the attack’s specifics and what organizations can do to prevent similar attacks.

    What Is the Kaseya Ransomware Attack?

    The Kaseya ransomware attack happened on July 2, 2021, over the United States’ Independence Day weekend. The attack targeted and infiltrated the system through the Kaseya Virtual System Administrator (VSA), a cloud-based IT monitoring and management solution offered by the company. The attackers hid malicious software in updates Kaseya sent to its customers, making this cyberattack more widespread than many other ransomware attack scenarios.

    Origins of Kaseya Ransomware

    The Russian hacker group, REvil, is reportedly behind the Kaseya ransomware attack. REvil group, also known as Sodinokibi, has previously launched successful ransomware attacks on other companies, including JBS, a meat producing company, from which it received $11 million as a ransom payment. REvil operates under the ransomware as a service (RaaS) model in which it offers its hacking services to extort companies in return for a share in the ransom payment.

    How Did the Attack Work?

    Prior to the attack in 2021, researchers at the Dutch Institute for Vulnerability Disclosure (DIVD) had identified security vulnerabilities in Kaseya’s software and shared their findings with Kaseya. The company responded by fixing four of the seven security vulnerabilities in the software; however, they did not successfully patch all issues before the attack occurred.

    An authentication bypass vulnerability in Kaseya’s software allowed hackers to infiltrate the system. Once in the system, REvil actors were able to upload a malicious payload to the host servers managed by the software. This technique allowed the malicious payload to have a wider impact. As soon as Kaseya noticed the security breach, it shut down its VSA servers and issued a security warning to all its customers, including cloud and on-premises customers.

    According to Kaseya, the attackers used zero-day vulnerabilities to infiltrate the system. Kaseya remains confident that the codebase of Kaseya software was not maliciously modified during the attack.

    Impact and Aftermath of Kaseya Ransomware

    The attackers gained access to sensitive data, including customer data, and demanded a ransom to return the data. Because Kaseya is a Managed Service Provider (MSP), its software was being used by companies of all sizes and from several global regions at the time of the attack. The widespread impact of Kaseya ransomware was felt from schools in New Zealand to supermarkets in Sweden

    It is estimated that 145 victims of this attack are in the United States alone; among them are state and local government agencies and small to medium-sized businesses. It is one of the biggest ransomware attacks in history with a reported ransom demand of over $70 million. The CEO of Kaseya, Fred Voccola, declined to comment on the ransom amount saying he would not comment on “anything to do with negotiating with terrorists.”

    The impact of Kaseya Ransomware was so severe that U.S. President Joe Biden shared his concerns about the attack with Russian President Putin in a phone call on July 9, 2021. Biden later added that if Russia did not respond to this attack by taking down the hacking group, the U.S. reserved the right to take action themselves. 

    The FBI worked on taking down REvil services but could withdraw their efforts when the hacking group went offline themselves. A few days after Biden’s call with Putin, the REvil infrastructureincluding their websitevanished from the internet. And on July 23, 2021, Kaseya announced that the company had received a decryption key to the stolen data. 

    How Can Companies Prevent Kaseya-Like Attacks?

    Secure against lateral movement

    Hackers in the Kaseya attack were able to infiltrate Kaseya’s network of clients through the updates sent by Kaseya. Companies should limit client-side access by securing against lateral movement. They should also avoid flat networks that allow hackers to easily move between servers. Finally, companies should not allow third-party software to have unrestricted access to their ports, which is what happened in the Kaseya ransomware attack.

    Deploy perimeter security

    Companies can deploy a strong perimeter security system with firewall policies, DNS filtering, geo-blocking, and antivirus software to prevent ransomware attacks. Such security measures make it difficult for hackers to gain access to servers.

    Incorporate multi-factor authentication (MFA)

    All critical services and solutions must be protected with multi-factor authentication to minimize the possibility of hackers gaining access to user credentials.

    Apply security monitoring and auditing

    Hackers must frequently make several security breach attempts before they are successful. The repetitious nature of these attacks offers companies the opportunity to find suspicious or anomalous behavior by monitoring and auditing their security logs. Alerting the security team on time or developing a patch to fix the vulnerability can have a huge impact on preventing ransomware attacks.

    Read next: Top Networking Monitoring Tools