Kaseya & The Curious Case of Holiday Cyberattacks: What Can Companies Learn?

table of contents

Ransomware attacks are increasing in frequency, and attackers are focusing on new monetization opportunities. Interestingly, the holidays seem to be their time of choice, as evidenced by the SolarWinds breach before Christmas 2020 and the Kaseya attack ahead of Memorial Day weekend 2021.

Let us take a moment and focus on the Kaseya incident. The FBI termed it a “supply chain ransomware attack leveraging a vulnerability in Kaseya VSA software against multiple MSPs and their customers.” The attack initially appeared to affect Kaseya’s 50 direct customers. But because Kaseya’s clientele included managed service providers (MSPs), over 1,500 of their small business clients across the globe were also affected.

REvil, the Russia-based ransomware group, claimed responsibility for the attack while demanding a total of $70 million in Bitcoin payment, a figure that was later made open for negotiation. It is important to note that REvil sought money only from end-users rather than the 50 MSPs that experienced the breach. Unlike Kaseya, many of these end-users did not have the resources to deal with an attack. REvil was able to demand a customized ransom amount from these businesses based on their size. Kaseya also had to step in to provide extensive assistance for end-users, depleting the bandwidth the company had to deal with the core issue.

Kaseya sprang into action quickly, notifying customers of the breach while proactively shutting down its servers and pulling its data centers offline. By July 5, the company had already developed a fix and targeted an accelerated release after testing and validation checks. Kaseya released the patch to its on-premise customers on July 11—slightly ahead of schedule—and began the process of deploying it to its SaaS infrastructure. 

Only a few ransom payments have been made to REvil so far, and Kaseya’s rapid response produced an effective patch, rendering the overall attack unsuccessful.

What exactly happened?

REvil, in its pursuit of a massive and widespread attack, exploited a zero-day vulnerability without actually accessing or breaching the victim’s network to steal data. The group deviated from its standard tactics, which meant backups remained in place and data was not stolen—thereby giving REvil little to no leverage over its victims.

(Note: A zero-day is an unknown security flaw that attackers can exploit to breach your system before you even know the vulnerability exists. Once attackers breach the system through this vulnerability, you have “zero days” to fix the situation.)

What can we learn from Kaseya ransomware attack?

Cyberattacks frequently take place over a holiday. The reason is simple: minimal working IT staff makes it difficult for victims to react on time. Attackers, in turn, have more time to try variations on their tactics and extend their reach to a broader network. Criminals can also use this time to shut down the victim’s operations and demand a hefty ransom. The takeaway is that organizations need to be extra-vigilant during holidays and other times when they have fewer hands on deck.

Unfortunately, ransomware attacks don’t only happen over holidays, and they don’t only happen when you’re working with a skeleton crew. The truth is that as long as your security infrastructure is dependent on error-prone humans, rather than microsegmentation, identity-based segmentation, and auto-generated policies that keep your environment secure, you’ll be vulnerable to attack.

How can companies protect themselves from ransomware attacks?

Many organizations start their Zero Trust journeys by implementing Zero Trust network access (ZTNA; often called user-to-application segmentation) and identity-based segmentation (or workload-to-workload segmentation). These are crucial first steps in a successful Zero Trust implementation. In addition, next-generation solutions like ColorTokens provide real-time ransomware protection that reduces the attack surface, prevents lateral spread, and keeps business-critical resources up and running even as you stop attacks. 

To learn more about ColorTokens’ Zero Trust-based ransomware attack protection and other security solutions that can save you money while improving your security posture, check out our resources or get in touch.