While 2020 will surely be remembered as the year of the pandemic, it’s quite possible that 2021 will be remembered as the year of ransomware too. Ransomware attacks seem to be running amok through 2021 and almost daily occurrences have been reported. Ransomware is a type of malware that blocks access to a company’s files until a ransom is paid. The ransomware typically encrypts your files rendering them inaccessible until a ransom is paid and the attacker delivers a key that can decrypt the files. Ransomware attacks are often spread using a Trojan that is disguised as a legitimate file that a user is tricked into running from an email attachment or website.
Following hot on the heels of the infamous east coast Colonial Pipeline and the JBS Meatpacking ransomware exploits over the 4th of July weekend, there was a Kaseya software supply chain attack that hit up to 1500 companies. Kaseya has an international headquarters in Dublin, Ireland and the company’s US headquarters is in Miami, Florida. The latest Kaseya attack is notable as Kaseya supports Managed Service Providers (MSPs) who in turn support many small and medium-sized businesses.
Kaseya provides a unified remote monitoring and management tool called VSA that enables MSPs to manage the IT for remote businesses making it a central part of a wider software supply chain. Kaseya reported that approximately 60 of its VSA customers were compromised. Those customers supply IT management services to other businesses and they passed the malware on to approximately 1,500 other organizations. Security experts believe the attack was triggered by an authentication bypass vulnerability in the Kaseya VSA web interface which allowed the attackers to circumvent authentication controls. This allowed them to establish an authenticated session in order to upload malicious software and execute commands.
The ransomware group REvil claimed responsibility for the attack and initially demanded a $70 million payment in Bitcoin for a “universal” decryption tool. At this point, Kaseya has not stated whether they will pay the ransom or not. Somewhat ironically, the offer of a universal tool reflects the problems REvil would have in needing to separately negotiate with 1500 different potential victims.
In a July 5th statement Kaseya said that a fix to prevent this attack has been developed. They have also released a new, free comprise detection tool that customers can use to check networks and computers. However, for many of those companies that that have been hit it’s time to dust off the disaster recovery (DR) plans.
Protecting Against Ransomware with Planning and DR
While you could just pay the ransom, and in many cases that will work, there’s no guarantee that your files and services will be restored. Plus, there’s nothing to stop the attacks from happening again. DR is one of the essential pillars of protection from ransomware attacks that can help your company to avoid and recover from ransomware attacks. Effective protection from ransomware requires:
- User education – While ransomware can be introduced in a number of different ways, end users are the most common cause for ransomware infections. Users need to be educated about the dangers of clicking on malicious links in email or compromised websites as well as the signs for recognizing suspicious items.
- Software updates – In this age of cyberattacks keeping up with software security updates is absolutely essential. In the case of the Kaseya attack, REvil is thought to have exploited a known vulnerability in VSA that Kaseya intended to patch but hadn’t done so yet.
- Protect your identities and permissions – If it’s possible use multifactor authentication (MFA) for your administrative accounts and take advantage of the principle of least privilege and Role-Based Access (RBAC) to limit permissions in order to prevent lateral movement of malware across your network.
- Use network segregation – Take advantage of Software Defined Networking (SDN) or micro-segmentation to limit unrestricted traffic flow across your network.
- Use air-gapped backups — Some types of ransomware are capable of selectively targeting backups. Offline backups that cannot be directly accessed from you primary network is one are your best protections from a ransomware attack as they can be used to restore your systems using a state that was captured before any corruption occurred. Your air-gapped backup should employ a separate authentication method to further limit the possibility of corruption.
- Having a tested DR plan — Having a working and tested DR plan is the final safeguard for a ransomware attack. A ransomware attack can take down your essential business workloads and services every bit as effectively as a natural disaster or system failure. Having an isolated recovery environment can help ensure that you can get pristine copies of your systems back online with no further corruption. Having a tested DR plan can ensure that you have an effective method to restore your essential services — even if those systems have been compromised by ransomware.