Over the weekend, an affiliate of cybercriminal gang REvil attacked Kaseya, who provides IT management software to companies across the globe. This peripheral attack allowed the cybercriminals to access hundreds of Kaseya’s customers and target them with ransomware attacks.
Ransomware run rampant
Sophos, a cyber-security firm, became aware of the Kaseya attack on Friday afternoon. The attackers managed to exploit a vulnerability in Kaseya’s systems to remotely access its VSA Server, which is generally used to deploy software and automate IT tasks in Kaseya’s software. The VSA server is highly trusted on customer devices, meaning that attached clients do exactly what it asks. Hence why the cybercriminals targeted it as a springboard for further ransomware attacks.
According to Sophos’ VP and Chief Information Security Officer, Ross McKerchar, the attack affected over 70 of Kaseya’s Managed Service Providers (MSPs), which had an offshoot into 350 more affected organisations. “We expect the full scope of victim organizations to be higher than what’s being reported by any individual security company. Victims span a range of worldwide locations with most in the United States, Germany and Canada, and others in Australia, the U.K. and other regions,” he said.
The hackers, “…are using MSPs (as their distribution method to hit as many businesses as possible, regardless of size or industry type,” said Mark Loman, Sophos Director of Engineering. Apparently the current trend with ransomware (and other) attacks is to hit as many targets as possible.
REvil and its offshoots have been active and up to no good in recent weeks. At the beginning of June it attacked JBS, the world’s largest meat supplier, with ransomware, and after that it took on a nuclear weapons contractor in the US. Ransomware attacks have been on the rise for the past half-decade, and the world being online more than ever thanks to the ongoing pandemic has only spurred that trend on.