A new, large-scale ransomware attack has come to light, and given its scale, has the potential to be one of the largest cyber attacks ever, in line with SolarWinds and even WannaCry and NotPetya. The reason for its seriousness is the fact that the attack was carried out in a devastating combination – using supply chain targets, with some of the most powerful ransomware equipment. The story is still evolving, in terms of how the attackers found their way into the system, but given the scale, the potential number of companies affected could be in the thousands. The tool exploited a managed service provider (MSP) software, Kaseya VSA, which BleepingComputer describes as a “cloud-based MSP platform that allows providers to perform patch management and client monitoring for their customers.”
scale of attack
The overall scale of the cyberattack is not yet known, but we have a pretty good reference on how many companies have been affected. Since yesterday afternoon, July 2, the infamous Revil ransomware gang Sodinokibi has directed a suspect’s circle of eight fairly large MSPs. For context, cyber security firm Huntress Labs has said in reports that at least three partners it works with are also affected by the hack, which amounts to at least 200 small and medium enterprises. This is just the beginning.
Given the scale at which Kasia VSAs are used around the world, the number of companies affected by it is realistically at least in the thousands. The scale can be said to be on par with the NotPetya attacks that ravaged industry systems across the globe.
How did the attack happen?
“We are investigating a potential attack against VSA that indicates that our on-premises is limited to a small number of customers,” said Dana Lidholm, Kasia’s senior corporate communications vice president, in a statement. It has actively shut down its SaaS servers from the U.S..” This follows a previous statement that Kasia sent to its customers after the hack.
“We are in the process of investigating the root cause of the incident with great care, but we recommend that you shut down your VSA server immediately until you receive any further notice from us,” the statement said. It’s important that you do this immediately, because the first thing an attacker does is to turn off administrative access to the VSA.” Interestingly, Kasia CEO Fred Vokola said in a media statement to Wired that he still “expects to restore services within 24 hours.”
At the moment, Kasia VSA’s servers remain offline as potentially thousands of companies work to tackle the crisis. The company has also confirmed that it is currently working with security firms to deal with the situation. An enhanced privilege exploit was probably the root cause behind Sodinokibi, which used auto update processes to spread the ransomware through small and medium enterprises.
ransom demand
According to reports, the Reville gang is seeking $50,000 from smaller companies that have found their devices targeted. For eight MSPs, Sodinokibi is seeking $5 million. The total ransom pool is, of course, very difficult to extrapolate right now. Kaseya has about 40,000 subscribers, and all things considered, the total ransom pool that it is seeing REvil exploits falls well into the high millions. The situation is, of course, evolving – so the figures are likely to evolve over time.
As time passes, more details should emerge soon.
read all Breaking Newshandjob today’s fresh news and coronavirus news Here
.