Last week, when news broke of the latest cyber target of the REvil ransomware operated by suspected Russian threat actor Sodinokibi, the scale of the attack was yet to be ascertained. Now, the general understanding is fairly sound – a sophisticated ransomware gang targeted a pretty popular enterprise software vendor, using it to exploit multiple of its vendors – which in turn encrypted thousands of devices belonging to small and medium sized companies. Case in point was Swedish supermarket chain Coop, which saw all 800 of its outlets frozen out of business as they failed to access their cash register.
The effectiveness of a supply chain attack
Such an attack, which occurs due to the source software used by thousands of devices across the world being compromised, is known as a supply chain attack. To simplify how this works, a threat actor first needs to identify a flaw in popularly used software, which in turn gives them access to potentially thousands of vendors and sub-vendors that can all be accessed through this software. It possibly is one of the deadliest and most effective forms through which a cyber breach can be enforced, and makes the most amount of sense, too – affecting thousands of companies through one breach can increase the chances of winning a ransom manifold, too.
Is this, then, the alarming precursor of such massive scale ransomware breaches becoming very common in future? We’ve already seen SolarWinds and Kaseya – will the future hold an ominous undertone? Speaking to News18, Mark Loman, director of engineering at cyber security firm Sophos, states that “common” may undersell the impact and extent of complexity and sophistication behind attacks such as the Kaseya ransomware incident.
The rise of sophisticated ransomware
“A ransomware attack usually requires considerable skill and effort on the part of the attackers. Once an attacker has penetrated a network, it usually takes from a few hours to a few weeks before they have gained sufficient knowledge of the victim environment to efficiently deploy the encryption attack. During this time defenders have a chance to notice the intruder and prevent the imminent attack.”
“In contrast, an attack via Remote Monitoring and Management (RMM) software is deployed automatically within seconds, with no signs of an impending attack at the victim’s end for them to detect. Such an attack, which impacts multiple businesses at once via a Managed Service Provider (MSP), usually happens through stolen access credentials that offer entry to an RMM control dashboard. But such an attack is typically isolated to a single MSP. It is rare that a ransomware attack hits multiple MSPs at once,” Loman says.
The rarity of such a cyber attack, Loman says, is essentially fuelled by previous successful breaches. “In the past two years, some successful ransomware attackers have raked in millions of dollars in ransom money, potentially allowing them to purchase highly valuable zero-day exploits. Certain exploits are usually only deemed attainable by nation-states. Whereas nation-states would use them sparingly for a specific attack, in the hands of cybercriminals, an exploit for a vulnerability in a widely used IT management platform can disrupt many businesses at once and have an impact on our daily lives,” he says.
The onus comes to MSPs
MSPs, or managed service providers, are likely to face the biggest impact of an attack such as this. While initial estimates were fairly tall, in a press statement shared with News18, Kaseya chief Fred Voccola says, “While each and every customer impacted is one too many, the impact of this highly sophisticated attack has proven to be, thankfully, greatly overstated.” The statement claims that the total number of companies impacted by the REvil breach is “approximately 50 of the more than 35,000 Kaseya customers.”
However, even if the actual impact of the attack were to be lesser than initial stipulation, the Kaseya ransomware attack was no less significant by any means. As Loman states, “Regardless of whether the affected business pays the ransom demand, the recovery effort will still be significant. Organisations use MSPs because they have limited IT resourcing, and these MSPs will be inundated with requests for assistance from impacted organisations to restore backups, and more, just when the very tool the MSPs would use to access customer environments to remediate issues, in this particular situation, is offline following the attack. It can take a considerable amount of time before businesses are restored to normal operation.”
It is this that makes for the most alarming aspect of supply chain ransomware attacks. Small companies, with very limited resources, are on the receiving end by being frozen out of their businesses for days. For MSPs, the real impact occurs in supporting the smaller organisations through the recovery phase. It is the latter that sees many ending up simply paying a ransom to get their data back on track – a death trap, as it is this ransom that will potentially also fuel the next NotPetya, SolarWinds or Kaseya.