Read time: 3 minutes
Another major ransomware supply chain attack has occurred over the holiday weekend. On July 2nd, the IT Solutions Provider Kaseya issued a statement saying they had suffered a ransomware attack. This attack only affected 0.1% of Kaseya’s customers, but their customers are Managed Service Providers (MSPs), which means hundreds of smaller businesses were also affected by this ransomware attack. This attack follows in the wake of several other large ransomware attacks in the past few months, including the Colonial Gas Pipeline attack and the attack on the meat supplier JBS. Before we get the specifics on this attack, let’s first learn about who Kaseya are and what a ransomware attack is.
What is Kaseya?
Kaseya is an IT solutions provider who offers different software to Managed Service Providers and enterprises. These MSPs in turn offer their own services to other small customers, such as Software as a Service, PKI as a Service, and other similar services. This is one of the reasons that this attack was so effective, as each of these MSPs have several hundred small companies of their own that they accidentally affected with this ransomware. An example of the software that Kaseya provides is VSA, which is used to monitor and manage networks and endpoints.
What is ransomware?
Ransomware is a type of malware which encrypts all the files in a victim’s system. Once the files are encrypted, the threat actors normally leave a ransom note, telling the victim how much and where to send the ransom, while they in turn send the decryption key back to the victim. It is recommended to never pay the ransom to a threat actor who has encrypted your data, as they can either not give you the encryption key, they can download the information anyways and blackmail you in the future, or they may not even know how to decrypt it.
What happened in this attack?
However, to use the executable file, a legitimate signature was still needed, which is where the rogue certificate comes in. The certificate was found to belong to an organization called PB03transport, which is a legitimate organization. This indicates that the threat actors had access to the private key of this organization, most likely obtained via phishing or a Man in the Middle attack. Once the ransomware infected an MSP, the malware was then given to other customers through an automated update containing the ransomware. The ransomware in question is called REvil ransomware and was uploaded to the VSA tool by the creators, the threat actors known as REvil or Sodinikibi. It is unknown at this time if the victims have all paid the attackers.
Stopping this Type of Attack
The sad truth of this attack is that it could have been prevented. Utilizing a rogue certificate, these threat actors crippled thousands of companies, when proper certificate management could have stopped this. Using a managed certificate management system or PKI-as-a-Service, like the kind Encryption Consulting offers, this rogue certificate would not have been created in the first place. With proper certificate monitoring and key inventorying, the stolen key could have been detected and subsequently deactivated. Instead, many companies may have to pay a ransom just to get their data back.