The Kaseya cyberattack affected up to 1500 companies and organizations worldwide.
In July 2021, on of the world’s biggest software companies, Kaseya, fell victim to an extensive ransomware attack. An attack that rapidly started a global domino-affect, when customers of customers fell victims to the happening.
Kaseya is an American software company that develops and designs IT software. The company offers IT infrastructure solutions for managed service providers (MSPs) and internal IT organizations. Globally, more than 40.000 organizations use at least one of Kaseya software solution, according to ZD Net.
The criminals exploited the flaws in Kaseya’s Virtual System Administrator
The criminals were identified as the well-known ransomware group REwil, believed to be Russian based. They attacked Kaseya’s Virtual System Administrator (VSA) platform, which is a software designed to manage an organization’s complete IT infrastructure and is deployed to the company’s MSPs customers. The cybercriminals used zero-day exploits to gain access to the VSA platform and to distribute malicious software to their systems and customers, reporting RiskBased Security.
The ransomware was delivered via an auto update, and the criminals demanded $70 million from Kaseya in order to restore their platform.
Affected companies and organizations worldwide
Since Kaseya is a provider of technology to MSPs, which in their turn serve other companies, Kaseya is also central to a wider software supply chain. The MSPs are relying on Kaseya s technology to manage IT tasks for their customer companies. In order to do so, they use their VSA platform to perform tasks such as updating systems and cancelling or adding programs. In relation to this, the attack affected over 50 MSPs and between 800 and 1500 other companies using services provided by the MSPs, according to CRN.
What happened in Sweden provides a relevant perspective into the global reliance on MSPs for IT services. As a result of the cyberattack, it is argued that 20 percent of the country’s food retails, pharmacies, and train tickets sales had to close down. Most of the victimized businesses were not direct customers of Kaseya but users of affected MSPs services. The Swedish food chain Coop had to close around 800 shops all over the country since the IT system crashed due to the attack, announced by Security Week.
Kaseya never paid the ransom
When it was clear that the VSA platform was victim of the attack, Kaseya rapidly shut it down to prevent further malware from being directed to its customers. They also contacted the FBI and the CISA and engaged third party vendors as Huntress and Sophos to help resolve the happening.
The ransom of $70 million was never paid and after a week of analysis and software hardening, Kaseya managed to restore certain service for MSPs, and created a patch for on-premises VSA customers. FBI also helped Kaseya by providing them with a decryption key three weeks after the attack.
It still remains uncertain how many customer endpoints were encrypted by the happening. The hackers claimed to have hit around one million endpoints, but the actual number is still unclear, according to MSSP Alert.