Kaseya ransomware attack: US launches investigation as gang demands giant $70 million payment

CISA warns businesses to enable and enforce multi-factor authentication for all accounts - not just privileged admin accounts.
Written by Liam Tung, Contributing Writer

The gang who used the REvil ransomware service to attack IT firm Kaseya and its customers have offered a universal decryption key at a record price of $70 million, if anyone wants to pay for it.

Kaseya, a well-known enterprise IT firm, is at the centre of the latest data encryption attack by REvil. The FBI attributed last month's ransomware attack on US meatpacker JBS to REvil.    

Kaseya on Saturday confirmed it and its customers were the victim of an attack on its VSA product, software for remotely monitoring PCs, servers, printers, networks, and point-of-sale systems. 

"Kaseya's VSA product has unfortunately been the victim of a sophisticated cyberattack.   Due to our teams' fast response, we believe that this has been localized to a very small number of on-premises customers only." 

SEE: Network security policy (TechRepublic Premium)

However, it seems that because Kaseya's customers are managed services providers, there has also been a knock-on impact on their customers that also rely on VSA to deliver remote-monitoring services. Huntress Security said that Kaseya's VSA software had been used to spread ransomware that had encrypted "well over 1,000 businesses".

For example, the attack on Kaseya had a significant impact on Sweden's Coop supermarket chain, forcing many of its stores to remain closed on Sunday. Coop is one of the largest supermarket chains in Sweden. Coop's online ordering and delivery systems were still available, but its point-of-sale systems were not. The retailer kept its doors open on Sunday, but staff were refusing customers entry and giving them complimentary strawberries, snacks and coffee. 

The attack on Kaseya appears to be financially motivated, but its impact is reminiscent of the Kremlin-backed attack on SolarWinds's Orion network management software.

REVil has now demanded $70 million for a universal decryption tool to end the Kaseya attack. "More than a million systems were infected," the REvil group claimed. "If anyone wants to negotiate about universal decryptor our price is $70 000 000$ in BTC and we will publish publicly decryptor that decrypts files of all victims, so everyone will be able to recover from attack in less than one hour." 

The group had been asking for $5 million for affected managed service providers and $44,999 for affected Kaseya customers, according to BleepingComputer

The attackers appear not to have stolen data from networks prior to the attack – a technique commonly used to apply pressure on victims to pay or risk the exposure of sensitive information. 

The attack exploited a zero-day or previously unknown vulnerability in Kaseya VSA. 

"All on-premises VSA Servers should continue to remain offline until further instructions from Kaseya about when it is safe to restore operations," Kaseya said in a statement. 

US president Joe Biden on Saturday said the US believed the Kremlin was not connected to the attack, but that, if it was, he's told Putin that the US will respond. 

On Sunday, deputy national security advisor for cyber and emerging technology Anne Neuberger urged victims to report incidents to the FBI's IC3 (Internet Crime Complaint Center).  

SEE: Ransomware: Paying up won't stop you from getting hit again, says cybersecurity chief

The US Cybersecurity & Infrastructure Security Agency (CISA) and FBI issued joint guidance on Sunday.  

CISA advised VSA customers to download the VSA detection tool, which helps security teams search for the presence of REvil components on their networks. It also recommended enforcing multi-factor authentication "on every single account that is under the control of the organization". That is, not just admin accounts with high privileges. 

"Implement allowlisting to limit communication with remote monitoring and management (RMM) capabilities to known IP address pairs, and/or place administrative interfaces of RMM behind a virtual private network (VPN) or a firewall on a dedicated administrative network," CISA said. 

Editorial standards