What happened in the Kaseya cyber attack?

The Kaseya cyber attack was a devastating ransomware attack that impacted thousands of businesses worldwide in July 2021. It started when cybercriminals breached Kaseya, a software company that provides IT solutions to managed service providers (MSPs). The attackers exploited vulnerabilities in Kaseya’s VSA remote monitoring and management tool to distribute ransomware to the systems of Kaseya’s customers.

How did the attack start?

On July 2nd, 2021, hackers affiliated with the notorious REvil ransomware gang exploited zero-day vulnerabilities in Kaseya’s VSA software. This allowed them to compromise Kaseya’s systems and use the software as a vehicle to distribute ransomware to the systems of Kaseya’s MSP customers.

Specifically, the attackers injected malicious code into a VSA server update that was then pushed out to Kaseya’s customers. When the customers installed the infected update on their systems, the ransomware payload was activated, encrypting files and demanding ransom payments to decrypt them.

What systems were impacted?

Since Kaseya’s VSA tool is used by MSPs to manage the networks of their small business clients, the attack had a broad reach. In total, researchers estimate that 800 to 1500 businesses worldwide were infected with ransomware as a result of the supply chain attack.

The victims included grocery stores, schools, financial institutions and IT companies. Most were small to medium sized businesses that relied on Kaseya’s customers – MSPs – to manage their computer systems.

High profile victims included the 800 Swedish Coop supermarkets that had to close because their cash registers were encrypted. New Zealand schools and kindergartens also had to close after being infected via a local MSP.

What was the impact?

The Kaseya attack was highly disruptive, with many victims unable to access their computer systems, data and applications. With ransomware shutting down point-of-sale systems, production lines, and more, organizations faced costly downtime and business interruptions.

For victims, the financial impacts included:

  • Costs to restore systems from backups
  • Lost revenues from business interruption
  • Ransom payments to decrypt files (when victims chose to pay)

Kaseya itself had to shut down its cloud-based services for days while it investigated the breach. For an IT service provider, such downtime can be extremely costly from a business standpoint.

In a public statement, Kaseya estimated that fewer than 60 of its customers were directly compromised in the attack. However, the inability of those MSPs to service their own customers meant the true victim count was likely over 1,000.

What was the ransom demand?

The REvil ransomware gang demanded a $70 million ransom payment in Bitcoin to release a universal decryptor that would unlock all affected systems.

This unusually high demand reflected the massive scale of the attack. Typically, ransomware groups set the ransom based on each victim’s perceived ability to pay. In this case, the criminals likely saw an opportunity to maximize profits by demanding a huge centralized payment from Kaseya directly.

Kaseya refused to pay the $70 million ransom. As a result, victims had to either restore systems from backup where possible, or negotiate their own individual ransom payments.

Were ransoms paid?

While Kaseya did not pay the massive $70 million ransom, security researchers believe some individual victims did pay smaller ransoms to regain access to their systems.

The meat producer JBS is one confirmed example – they paid REvil approximately $11 million in Bitcoin to decrypt their systems after a similar supply chain ransomware attack just one month prior.

Many Kaseya attack victims were smaller businesses though, without the deep pockets of a major corporation. These victims likely had fewer resources to pay large ransoms. Those unable to pay could only restore data from backups where available.

Who was responsible?

The Russia-linked REvil cybercrime gang (also known as Sodinokibi) was responsible for the Kaseya attack. REvil is a notorious RaaS (Ransomware-as-a-Service) syndicate, meaning they develop ransomware tools and sell access to “affiliates” who then carry out attacks.

In the Kaseya incident, REvil provided the ransomware payload but the actual breach was carried out by one of their affiliates. REvil handled the ransom negotiations and would take a cut of any payments.

Just days after the Kaseya attack, REvil mysteriously disappeared offline. Their dark web sites were taken down and ransom negotiations halted. It’s rumored that Russian authorities took action against the group under pressure from the US government.

Could it have been prevented?

While no IT system is impenetrable, there are steps both Kaseya and its customers could have taken to improve security and potentially prevent an attack of this scale:

For Kaseya:

  • Promptly patch vulnerabilities: The attackers exploited zero-day flaws in Kaseya VSA software. Kaseya likely should have identified and fixed these security holes before they were leveraged in an attack.
  • Employ strict supply chain security: As a provider of remote monitoring software, Kaseya was a high value target in the supply chain. They should have implemented rigorous controls to secure code and network access.
  • Limit access: Only trusted users should have been permitted access to Kaseya servers and the ability to distribute updates. Broad access enabled the hackers to compromise these controls.

For MSPs/victims:

  • Patch and secure systems: While Kaseya software was the initial infection vector, stronger system hardening by victims could have made it harder for the ransomware to spread.
  • LimitPrivileged Access: Revoke unnecessary admin privileges from users to limit damage if credentials are compromised.
  • Employ backups: Reliable, air-gapped backups make it possible to restore data without paying ransom. But many victims found backups insufficient.
  • Segment networks: Limiting direct access between corporate networks could have slowed lateral ransomware movement.

While not necessarily foolproof, these practices likely could have prevented some infection and data encryption.

Timeline of the Kaseya Supply Chain Ransomware Attack

Date Event
July 2nd, 2021 Attackers exploit Kaseya VSA vulnerabilities to distribute ransomware payload
July 2nd Encrypted systems shut down at Coop grocery stores in Sweden
July 3rd Kaseya becomes aware of cyberattack and shuts down cloud servers
July 4th US CISA agency issues emergency directive urging orgs to shut down VSA servers
July 5th Ransomware impacts 800 – 1500 organizations globally
July 6th REvil demands $70M ransom from Kaseya
July 7th Kaseya obtains decryptor key and begins restoring customers
July 13th Kaseya patches vulnerabilities used in attacks
July 13th REvil dark web sites mysteriously shut down

How did Kaseya and victims respond?

Kaseya’s response involved three key phases:

  1. Initial incident response – After learning of the breach, Kaseya quickly shut down its cloud servers to contain the threat. Their technical teams began investigating the attack vector and malicious code.
  2. Customer support and remediation – Kaseya notified impacted customers and released patches for the VSA vulnerabilities. They obtained a decryption key and helped restore data for victims who had backups. New security measures were implemented across their systems and software.
  3. External communications – Throughout the response effort, Kaseya engaged in frequent communication and coordination with law enforcement, government agencies, customers, and the public. Transparent communication helped mitigate damage to their reputation.

Victims had a more challenging path to recovery:

  • Users were locked out of encrypted systems, interrupting business operations.
  • IT staff had to rapidly assess and contain infections to prevent spreading.
  • Without the option to pay Kaseya’s massive ransom demand, victims could either restore from backups where possible, or negotiate separate payments.
  • Some victims had to rebuild systems from scratch after backups failed or were insufficient.
  • Lost productivity, sales and revenues had lingering financial impact.

What was the long-term impact?

The Kaseya attack highlighted the immense risk that supply chain cyber attacks pose to businesses, large and small. By compromising IT management tools, the attackers gained access to broad swaths of networks with minimal effort.

Some important impacts and consequences included:

  • Increased Federal Response – The White House took action against ransomware gangs, including offers of rewards up to $10 million for information leading to the disruption of criminal networks.
  • Class Action Lawsuit – A class action was filed against Kaseya arguing they failed to adequately secure their software. This represents potential major legal liability for tech companies.
  • Security Overhauls – Many MSPs and software vendors initiated substantial reviews and improvements of their security practices to avoid becoming the next victim.
  • Insurance Fallout – Cyber insurance providers tightened policies and increased premiums after the attack driving up costs for victims.
  • Greater Ransomware Awareness – High profile attacks like this helped put ransomware risks on the radar of business leaders and policy makers.

While security improved in some areas, ransomware remains a key threat. The potential for large scale disruption and costs continues to motivate criminals to seek new targets like critical infrastructure.