How to Protect Yourself from a Kaseya-Style Ransomware Attack
Ransomware has been a problem for many years now, but attacks are only growing more sophisticated.
In recent months, several high-profile attacks have occurred, one being the Colonial Pipeline attack in the US and most recently the Kaseya attack.
Kaseya is an IT solutions developer for MSPs and enterprises. The company announced on July 2 that it was the victim of a huge cyberattack.
Attackers from REvil, a ransomware group linked to Russia, managed to leverage a vulnerability in Kaseya’s VSA software. CEO, Fred Voccola, said that less than 0.1% of its customers were affected, but it’s estimated that around 1,500 businesses were victims of the breach.
In this episode of Disruption Talks, Netguru’s Cyber Security Lead, Maciej Markiewicz, discusses the Kaseya breach and what we can do to protect ourselves from something similar.
How do ransomware attacks work?
Ransomware is a common cyberattack method where attackers encrypt important files so you can no longer access them. The attackers then demand a ransom in return for the decryption key.
Ransomware attacks typically target businesses, which are left with no option but to pay out to continue doing business. This type of cyberattack is on the rise, so good cybersecurity protection is a must for any modern business.
Filip Sobiecki: Could you give us an introduction to yourself?
Maciej Markiewicz: I’m a Cyber Security Lead at Netguru, and I’m responsible for three main areas. One is information on the security of our internal processes and operational stuff. Then there’s the security of development approaches which means helping and consulting services for our clients. And finally, there’s commercial cybersecurity services, so everything related to client projects and products.
Can you explain what happened at Kaseya?
In early July 2021, businesses around the world were affected by a ransomware attack that appeared to come from one single point of attack. A group of companies was targeted by the hacker group REvil.
Kaseya was targeted because it’s a software provider responsible for managing and monitoring IT ecosystems for small and medium firms.
It affected so many businesses because REvil exploited a vulnerability in Kaseya’s software, which many companies use globally. Over 1,000 firms had data encrypted with ransomware, so they couldn’t access it without paying. The group requested $70 million in total for decrypting the ransomware across all the businesses.
Interestingly, this software provided by Kaseya is used to help protect companies against attacks, and yet it became a vulnerability itself.
Can you tell us a little about the guys behind this attack?
It’s the REvil group that has ties to Russia, and it’s been responsible for quite a few impressive attacks recently. For example, JBS, the meat processing company, was targeted a few weeks ago. The firm paid the ransom, which was around $11 million for decrypting the data.
How did REvil target Kaseya?
The original reports said that the attackers must have injected malicious code into the software. However, official statements from Kaseya say that’s not the case. They have not found malicious code, but the attackers managed to bypass the authentication feature in the software.
They used its existing features to deploy the ransomware, such as the ability to execute arbitrary code, inside devices that use Kaseya software.
Kaseya is already working on and has deployed patches to solve the problem. It’s started to restore services for clients, but it will take some time to fully restore functionality for all the businesses affected.
Can we protect ourselves from something similar happening?
Unfortunately, you cannot guarantee 100% protection on any IT system in the world. You can define all the threats and risks to your services and use risk assessment methodologies.
Then you must try and minimize the threats and build strong countermeasures to get the protection as close to 100% as you can.
What can you specifically do to protect your assets?
The first step is to start hardening your IT infrastructure to protect it. This includes simple things like secure passwords, and then you can move on to two-factor authentication. This is just the beginning, though.
We need to go deeper than that. Rather than just relying on any two-factor authentication system, you should look at what type you’re using and assess whether it’s suitable for your users.
We already know that not all two-factor authentication methods are secure. For example, using phone numbers is already a problem with SIM swapping attacks. It also doesn’t protect you from phishing attacks.
Hackers are quite clever and are wise to our attempts to protect websites and businesses, so we need to think beyond the basics.
However, one of the simplest things you can do as a business is to backup your data. This should be a key part of your disaster recovery plan and business continuity plans.
Would you agree that it’s important that everyone’s responsible for data security?
I would say that in most cases, there is some kind of human factor. You can prepare well, use well-designed software, but it’s never going to be 100% bulletproof. If you have employees using the same password for everything and they’re being leaked, then no software will be good enough.
Raising awareness and educating people is one of the most crucial things you can do as a business.
It’s crucial that people at every level, business owners, management, developers, and the users themselves are all aware of the risks. Businesses should try to make security features transparent to all and as easy to use as possible.
Do you believe that one day cybersecurity systems will be able to protect us from our own human errors?
It’s hard to guess. In my opinion, this will be a constant journey. The bad guys and good guys will always be chasing each other. The good guys will be trying to build the best software, and the bad guys will try to break it.
However, there are currently systems that use machine learning to detect any anomalies, but this is quite expensive for an average user.
The cost is a barrier, but can you afford not to have good security systems in place?
It’s expensive, but so is being a victim of a cyberattack, so it’s all about finding a balance between costs and protection.
Is backup redundancy overkill, or is it better to be safe than sorry?
Backups like this are the perfect scenario. It would be ideal to have a situation where you can restore everything from a backup, and everything works fine. This means it’s harder for the attackers to demand a ransom because you don’t need to decrypt anything.
The downside is that this can be costly, so it’s all about balance.
How can smaller teams with limited budgets protect themselves?
There are a few ways around it. Hiring an in-house security specialist can be costly but is great if you can afford it.
For smaller companies, sometimes it’s best to outsource to a consultant who can perform an audit for you. They can help you improve your safety, security of your entire infrastructure or your software. It’s always worth investing at least some money in getting expert advice just in case.
This discussion is part of our Disruption Talks recordings, where we invite experts to share their insights on winning innovation strategies, the next generation of disruptors, and scaling digital products. To get unlimited access to this interview and many more, sign up here: www.netguru.com/disruption/talks