Recently hackers infiltrated a Florida-based tech firm, Kaseya, infected it with ransomware, seized troves of data and demanded $70 million in payment for its return. Conservative estimates put the number of organisations affected at several thousand. Others claim it is much higher.
Lucrative criminal enterprise
- Kaseya is a managed service provider and is used by companies who don’t have their own tech department by offering remote management and monitoring of devices.
- Kaseya regularly pushes out updates to its customers to ensure the security of their systems. But in this case, the update process was hacked and customers were infected with ransomware disguised as an update. This hack is notable, because the attackers targeted the very systems typically used to protect customers from malicious software. In short, customers were infected via a trusted channel which of course undermines any notion of cyber security.
- Kaseya said that between 800 and 1,500 businesses were thought to be infected though the figure is likely to be higher. In the US local and state governments and agencies as well as small and medium-sized businesses were hit.
- Infections weren’t confined to the US. In Sweden, hundreds of supermarkets had to close when their cash registers stopped working and in New Zealand, many schools and kindergartens were knocked offline
Affiliates of the Russian hacker group REvil claimed responsibility for the attack. REvil is the group that in June unleashed a major ransomware attack on the meat producer JBS, crippling the company and its supply until it paid a $11 million ransom.
- REvil is a large criminal operation which offers ransomware-as-a-service. In short it leases out ransomware to other criminals and keeps a percentage of each payment. It is said to earn more than $100 million a year.
- Last year, it posted recruitment ‘ads’ on dark web forums and Russian cybercriminal forums seeking experienced people who are skilled in ransomware.
- It said successful applicants can expect 60 per cent of the funds received from a hack, rising to 70 per cent after three successful hacking attempts. The job postings say the average ransom paid can range between $250,000 and $10 million.
It’s easy to dismiss the attack as just another ransomware infection given how widespread and common they are. Of course if you’re a victim you don’t see it that way.
But the impacts of ransomware attacks are now being publically acknowledged by the US government with the president, Joe Biden, threatening counter measures if Putin doesn’t rein in the attackers. Putin, of course, denies any knowledge of REvil.
Poor, hungry… and dangerous
A REvil representative said the group targets companies with cyber-insurance and steers clear of businesses in the former Soviet Union. He cited three reasons for this; geopolitics, laws and for some a sense of patriotism.
Another gave some insight into how the attackers think when he reportedly said: “As a child, I rummaged through rubbish bins and smoked cigarette butts. I wore the same clothes for six months. In my youth . . . I did not eat for two or even three days. And now I’m a millionaire.”
Reports of vulnerabilities
Perhaps not surprisingly following the attack reports have emerged of former Kaseya employees claiming the company’s software was vulnerable to attack because of old code, poor encryption and failure to routinely patch software.
- One employee reportedly claimed he was fired two weeks after sending executives a 40-page briefing on security problems. Others simply left in frustration with a seeming focus on new features and releases instead of fixing basic issues.
- Kaseya also laid off some employees in 2018 preferring to outsource work to Belarus, which some staff considered a security risk.
- The company's software was reportedly used to launch ransomware at least twice between 2018 and 2019, and it didn't significantly rethink its security strategy.
Kaseya refused to comment on the allegations but basic cyber security missteps are all too common by many companies and across many industries.