The latest update from the Kaseya CEO reveals the massive scope of a ransomware attack against the company's VSA service.
The VSA service is used by managed service providers (MSPs) who help small and medium-sized businesses patch vulnerabilities and monitor endpoints.
Scope of the Kaseya ransomware attack revealed
Up to 1,500 businesses, across five continents, may have been impacted in the attack. According to CEO Fred Voccola:
"Many of Kaseya's customers are managed service providers, using Kaseya's technology to manage IT infrastructure for local and small businesses with less than 30 employees, such as dentists' offices, small accounting offices, and local restaurants. Of the approximately 800,000 to 1,000,000 local and small businesses that are managed by Kaseya's customers, only about 800 to 1,500 have been compromised."
This illustrates the value of hitting a target in the IT supply chain. You get a single attack with 800 to 1,500 victims.
Who launched Kesaya ransomware attack? REvil demands ransom
The same ransomware operators that hit JBS in June 2021 are claiming to be responsible for this attack.
The REvil group, based in Russia, posted on its Dark Web blog site that it will release a universal decryption tool for all impacted organizations for a $70 million ransom.
Reuters has been in contact with both Kaseya's CEO and the REvil cybercrime group.
"We are always ready to negotiate," a representative of the hackers told Reuters earlier Monday. The representative, who spoke via a chat interface on the hackers' website, didn't provide their name.
Voccola refused to say whether he was ready to take the hackers up on the offer.
"I can't comment 'yes,' 'no,' or 'maybe'," he said when asked whether his company would talk to or pay the hackers. "No comment on anything to do with negotiating with terrorists in any way."
However, Kaseya is saying its rapid internal response to the cyberattack limited the collateral damage. It could have been much worse.
The company's rapid remediation and mitigation measures saved thousands of small and medium-sized businesses from suffering devastating impacts to their operations and ensured business continuity.
"This is a collaborative effort to remediate the issue and identify the parties responsible so they may be held accountable," added Voccola. "We are beyond grateful for their assistance getting our customers back online. The immediate action-oriented and solution-based approach of CISA and the FBI, with tremendous overall support from the White House, has proven to be a huge help in ensuring that this attack led only to a very small number of impacted customers. While each and every customer impacted is one too many, the impact of this highly sophisticated attack has proven to be, thankfully, greatly overstated," says the company CEO.
How is the U.S. government responding to the ransomware attack?
President Biden was asked about the cyberattack while he was in Michigan eating cherry pie over the 4th of July holiday weekend.
Here is the Q&A transcript, in which Biden responded to a reporter's question about the attack.
Q: With the most recent hack by the Russians, would you say that this means that —
THE PRESIDENT: "We’re not sure if it’s the Russians."
Q: Okay with this most —
THE PRESIDENT: (Inaudible.) "I got a brief on the — as I was on the plane, that’s why I was late getting off the plane. I got a brief, and —"
Q: Do you know who it might be, sir?
THE PRESIDENT: "I’ll be in better shape to talk to you about it — hang on a second.
I’ll tell you what they sent me — okay? — that — the idea — first of all, we’re not sure who it is for certain, number one. And what I did, I directed the full resources of the — of the government to assist in the response if we determine —
And the fact is that I directed the intelligence community to give me a — a deep dive on what’s happened, and I’ll know better tomorrow. And if it is, either with the knowledge of and/or a consequence of Russia, then I told Putin we will respond. And — but —"
Q You did tell him already, sir?
THE PRESIDENT: "No. No. I haven’t called because we’re not — we’re not certain. And the initial thinking was it was not the Russian government, but we’re not sure yet."
Did Russia just violate the 'no hack list' Biden gave their leader?
Remember the June 2021 meeting between President Biden and President Putin? Biden handed over a 'no hack list' of 16 sectors and warned that if Russia launched cyberattacks against those sectors, the U.S. would respond.
One of the sectors was "Information Technology."
But Russia has long denied it hacks the world.
CNN Analyst and retired USAF Colonel Cedric Leighton tells SecureWorld that ransomware is the instrument of choice for Russia's mission in cyber right now, and the west needs to finally understand this.
The recent attacks against Colonial Pipeline and JBS meat were clear indicators:
"You can't see it as an isolated incident because ransomware is actually part of a broader strategy. When you look at the way in which these operations were conducted, and the strategy that was involved was clearly to go after elements of the critical infrastructure.
Then they employed the technique of plausible deniability. This is something that intelligence agencies have used for many years, really for centuries.
In essence, what it means is, you have somebody go out and do your dirty work for you, but they don't officially belong to you or to your official organizations. So you can, truthfully in quotation marks, say, I did not do this."
Will that happen again in this case? Will the United States respond in cyber? We are watching and waiting to see what occurs next.