IOTW: REvil Ransomware Attack Hits Potentially Thousands of Businesses

Russian hacking group REvil has been credited with a massive ransomware attack that disrupted potentially thousands of businesses internationally during the U.S.'s Fourth of July holiday weekend. Perhaps the hardest hit entity so far is the Swedish Coop grocery store, which had to close 800 stores because they were unable to operate cash registers and therefore unable to receive payment for goods. 

The target was Kaseya, a U.S. IT management software provider for managed service providers (MSPs) and IT organizations.  According to Reuters, REvil "is suspected of hijacking Kaseya's desktop management tool VSA and pushing a malicious update that infect[ed] tech management providers serving thousands of business[es]."

The ransomware ploy is a multi-level attack that spreads to a tech provider's customers. Reportedly, each business that has been disrupted by file encryption has received a ransomware notice demanding payment of thousands or millions of dollars, depending on the size of the company. The attacks threaten the viability of some businesses and potentially the cost of goods and services, the price of which would ultimately be borne by consumers.

According to the U.S. Federal Bureau of Investigation (FBI), REvil is allegedly responsible for attacking the JBS meat packing plant. Engadget said 40 cybersecurity contractors' systems and subsequently hundreds of businesses had been hit over the holiday weekend.

As the news and fallout from more big cyber attacks continues to roll in, insurance companies offering cyber insurance are raising the cost of premiums in response. There is simply no good way to model the risk.

The Facts

On Friday, July 2, REvil unleased a ransomware attack via Kaseya by infecting its VSA software and providing a malicious "software update" to customers. The attack was timed during the U.S. Fourth of July holiday weekend, during which most Americans – including IT workers – spend with friends and family. If they are working, they are likely distracted by the fact that they're one of the few people who are working.

Apparently, REvil was counting on this window of opportunity to increase the potential impact of the attack. 

The White House said on July 4, that it was reaching out to affected companies. Meanwhile, Kaseya is working with the FBI and the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to assess and deal with the damage. However, the total scope of harm is unknown at the time of this writing.

Reuters reported that American and German schools, small public sector organizations, travel and leisure companies, credit unions and accountants had been affected. Engadget added an outpatient surgical center in South Carolina and a mic-size Florida law firm.

Businesses are being advised not to pay the ransom because they are only helping to perpetuate attacks by sophisticated, highly organized groups and others who hope to emulate their success. Some businesses will pay a ransom nevertheless because they want to return to business as usual. However, business is never "as usual" these days. Paying a ransom or recovering from a cyber attack does not protect an organization against a different one.

Lessons Learned

MSPs are not immune from cyber attacks. Many small and medium businesses (SMBs) rely on such companies to manage some or all of their IT needs because they don't have the financial resources to retain that type of expertise.

Likely, this episode will cause companies which hire MSPs to do more due diligence before they hire them. Among the questions that will be asked (if it has not been asked already) is whether the MSP has suffered a breach in the last year or whatever time frame the customer states. 

Sadly, even an MSP that has not been breached may not be more sophisticated from a cyber security perspective. Their luck may have been just that: dumb luck.

Quick Tips

Your company's cyber security posture is only as formidable as the totality of its cyber security fabric that extends to partners. If one of your partners becomes the victim of a ransomware or other type of attack, your company may be next, suddenly. Are you prepared?

• Vet partners on a regular basis.
• Review your own cyber security practice to see what impact this type of attack would have on your company.
• Add such a scenario to your incident response plan if you have not covered it yet. If you do not use an MSP, you certainly use some vendors and service providers who could be the launch point for an attack against your company.
• Make sure your company's entire staff regularly receives updated cyber hygiene training. Since attacks evolve, there's always something new to talk about and some basics that should be repeated as a matter of course.
• Use this attack as a lens from which to view potential vulnerabilities and threats. Simply changing your point of view may enable you to discover something you had not considered before.
• Decide now how your company would respond to a ransomware attack.