It probably is inevitable that the two dominant cyber security threats of the day – Attacks on the supply chain i ransomware“He would combine to wreak havoc.” This is exactly what happened on Friday afternoon, as the notorious criminal group REvil successfully encrypted the files of hundreds of companies in one fell swoop, apparently thanks to compromised IT management software. And that is just the beginning.
The situation is still evolving, and certain details – most importantly, how the attackers infiltrated the software in general – remain unknown. But the impact has already been serious and will only get worse given the nature of the goals. The software in question, Kaseya VSA, is popular among so-called managed service providers, which provide IT infrastructure for companies that would rather transfer such things than run them themselves. Which means that if you successfully hack an SME, you suddenly have access to its customers. That’s the difference between cracking safes one by one and stealing a bank manager’s skeleton key.
So far, according to security company Huntress, REvil has hacked eight SMEs. The three that Huntress works with directly make up 200 companies that found their data encrypted on Friday. It doesn’t take a lot of extrapolation to see how much worse it gets, especially given Kasey’s ubiquity.
“Kaseya is a Coca-Cola remote control,” says Jake Williams, chief technology officer of BreachQuest Incident Response Company. “Since we are entering the holiday weekend, we will not even know how many victims are there until Tuesday or Wednesday next week. But it is monumental. ”
Worst of both worlds
SMEs have long been a popular target, especially of nation-state hackers. Hitting them is a terribly effective way to spy, if you succeed. As the indictment of the Ministry of Justice showed in 2018, Chinese elite APT10 spies used SME compromises steal hundreds of gigabytes of data from dozens of companies. REvil has previously targeted SMEs, using its foothold in an independent IT company abduction 22 Texas Municipalities at Once 2019.
Attacks on the supply chain are also becoming more frequent, most in the devastating SolarWinds campaign last year that allowed Russia access to more U.S. agencies and countless other victims. Like SME attacks, hacks in the supply chain have a multiplier effect; getting dirty with one software update can bring hundreds of casualties.
Then you can understand why an attack on a supply chain targeting SMEs has potentially exponential consequences. Throw system ransomware into the combination and the situation becomes even more unsustainable. It’s reminiscent of the devastating attack of NotPety, which also used a compromise in the supply chain to spread what initially seemed like ransomware, but was indeed a nation-state attack perpetrated by Russia. A newer Russian campaign also comes to mind.
“This is SolarWinds, but with ransomware,” says Brett Callow, a threat analyst at antivirus company Emsisoft. “When an individual SME is threatened, it can affect hundreds of end users. And in this case, it seems that more SMEs are endangered, so … “
Williams of BreachQuest says REvil appears to be asking victims’ companies for the equivalent of about $ 45,000 cryptocurrency Monero. If they fail to pay within a week, demand doubles. BleepingComputer security news site reports that REvil asked some victims for five million dollars for a decryption key that unlocks “all the computers in your encrypted network,” which can be targeted at SMEs, not their customers.
“We often talk about SMEs being the mother ships for many small and medium-sized businesses and organizations,” says John Hammond, a senior security researcher at Huntress. “But if Kaseya is what’s affected, the bad actors have just compromised all of their mother ships.”