It was probably inevitable that the two dominant cybersecurity threats of the day— supply chain attacks and ransomware—would combine to wreak havoc. That’s precisely what happened Friday afternoon, as the notorious REvil criminal group successfully encrypted the files of hundreds of businesses in one swoop, apparently thanks to compromised IT management software. And that’s only the very beginning.
The situation is still developing and certain details—most important, how the attackers infiltrated the software in the first place—remain unknown. But the impact has already been severe and will only get worse given the nature of the targets. The software in question, Kaseya VSA, is popular among so-called managed service providers, which provide IT infrastructure for companies that would rather outsource that sort of thing than run it themselves. Which means that if you successfully hack an MSP, you suddenly have access to its customers. It’s the difference between cracking safe-deposit boxes one at a time and stealing the bank manager’s skeleton key.
So far, according to security company Huntress, REvil has hacked eight MSPs. The three that Huntress works with directly account for 200 businesses that found their data encrypted Friday. It doesn’t take much extrapolation to see how much worse it gets from there, especially given Kaseya’s ubiquity.
“Kaseya is the Coca-Cola of remote management,” says Jake Williams, chief technology officer of the incident response firm BreachQuest. “Because we’re going into a holiday weekend, we won’t even know how many victims are out there until Tuesday or Wednesday of next week. But it’s monumental.”
Worst of Both Worlds
MSPs have long been a popular target, particularly of nation-state hackers. Hitting them is a terrifically efficient way to spy, if you can manage it. As a Justice Department indictment showed in 2018, China’s elite APT10 spies used MSP compromises to steal hundreds of gigabytes of data from dozens of companies. REvil has targeted MSPs before, too, using its foothold into a third-party IT company to hijack 22 Texas municipalities at once in 2019.
Supply chain attacks have become increasingly common as well, most notably in the devastating SolarWinds campaign last year that gave Russia access to multiple US agencies and countless other victims. Like MSP attacks, supply chain hacks also have a multiplicative effect; tainting one software update can yield hundreds of victims.
You can start to see, then, why a supply chain attack that targets MSPs has potentially exponential consequences. Throw system-crippling ransomware into the mix, and the situation becomes even more untenable. It brings to mind the devastating NotPetya attack, which also used a supply chain compromise to spread what at first seemed like ransomware but was really a nation-state attack perpetrated by Russia. A more recent Russian campaign comes to mind as well.
“This is SolarWinds, but with ransomware,” says Brett Callow, a threat analyst at antivirus company Emsisoft. “When a single MSP is compromised, it can impact hundreds of end users. And in this case it seems that multiple MSPs have been compromised, so …”
BreachQuest’s Williams says that REvil appears to be asking victim companies for the equivalent of roughly $45,000 in the cryptocurrency Monero. If they fail to pay within a week, the demand doubles. Security news site BleepingComputer reports that REvil has asked some victims for $5 million for a decryption key that unlocks “all PCs of your encrypted network,” which may be targeted to MSPs specifically rather than their clients.
“We often talk about MSPs being the mother ship for many small-to-medium business and organizations,” says John Hammond, senior security researcher at Huntress. “But if Kaseya is what is hit, bad actors just compromised all of their mother ships.”