A new, mass ransomware attack has come to light, and given its scale, has the potential to be one of the biggest cyber attacks of all time – in line with SolarWinds, and even WannaCry and NotPetya. The reason for its severity is the fact that the attack was done in a devastating combination – using a supply chain target, with some of the most potent ransomware tools. The story is still developing at the moment, in terms of how the attackers found their way into systems, but given the scale, the potential number of companies affected may lead into thousands. The tool exploited a managed service provider (MSP) software, Kaseya VSA, which BleepingComputer describes as “a cloud-based MSP platform that allows providers to perform patch management and client monitoring for their customers.”
Scale of attack
The overall scale of the cyber attack is not yet known, but we have a fairly decent reference in terms of how many companies have been impacted. Starting afternoon yesterday, July 2, the notorious REvil ransomware gang Sodinokibi directed the scope at a suspected eight fairly large MSPs. For reference, cyber security firm Huntress Labs has stated in reports that at least three partners that it works with are affected by the hack as well, which sums up to at least 200 small and medium enterprises. This, is just the beginning.
Given the scale at which the Kaseya VSA is used around the world, the number of companies affected by this is realistically at least in thousands. The scale can be termed comparable to the NotPetya attacks that ravaged industry systems around the world.
How the attack happened
In a statement, Dana Liedholm, senior corporate communications vice president at Kaseya, said, “We are investigating a potential attack against the VSA that indicates to have been limited to a small number of our on-premises customers only. We have proactively shut down our SaaS servers out of an abundance of caution.” This follows a previous statement that Kaseya sent its clients following the hack.
The statement said, “We are in the process of investigating the root cause of the incident with an abundance of caution but we recommend that you IMMEDIATELY shutdown your VSA server until you receive further notice from us. It’s critical that you do this immediately, because one of the first things the attacker does is shut off administrative access to the VSA.” Interestingly, Kaseya CEO Fred Voccola has stated in a media statement to Wired that he still “expects services to be restored within 24 hours.”
At the moment, Kaseya VSA’s servers remain offline as potentially thousands of companies work to deal with the crisis. The company has also confirmed that it is right now working with security firms to deal with the situation. An escalated privilege exploit was likely the root cause behind Sodinokibi, which used auto update processes to spread the ransomware through the small and medium enterprises.
The ransom demands
According to reports, the REvil gang is asking for $50,000 from smaller companies that have found their devices targeted. To the eight MSPs, Sodinokibi is seemingly asking for $5 million. The total ransom pool is, of course, too difficult to extrapolate right now. Kaseya has almost 40,000 clients, and all things considered, the total ransom pool that this REvil exploit is looking at falls well into the higher millions. The situation is, of course, developing – so the figures will likely evolve in time.
As time progresses, more details should emerge soon.