What Happened?

On the 2nd of July 2021, Kaseya VSA, a provider of Remote Module Management (RMM) software, was the victim of a $70 million ransomware attack. Many Managed Service Providers like Preemo rely on software like Keseya VSA to remotely monitor and manage their clients’ network infrastructure. This has resulted in many MSPs who use VSA, and their clients, to fall victim to the same ransomware attack.

It’s important to note that Preemo, and its customers, have not been affected by this attack.

What is a Ransomware Attack?

A ransomware attack occurs when a malicious third party gains illegitimate access to a system, encrypts the data on the system, and demands some form of ransom payment to decrypt the data on the system.

For example, a malicious hacker may gain access to your company’s computer network. They will subsequently encrypt important data on the computer network. These files may include data completely necessary for a business’s daily operations. They will then communicate with the business owner that their data is locked and it can only be unlocked by the hacker who has the only decryption key. This is of course when the hacker(s) will demand payment in exchange for unlocking the data.

Ransomware attacks appeared in 1989 with the birth of personal computing and widespread business use of computers. The very first ransomware attack targeted hospitals and healthcare providers. According to fortinet.com:

The very first ransomware attack targeted the healthcare industry in 1989. An AIDS researcher gave out 20,000 infected floppy disks to those who attended the World Health Organization’s AIDS conference. This attack was called the AIDS Trojan but was also known as the PC Cyborg virus, named after the fictitious name of the company demanding payment: PC Cyborg Corporation. 

The distributed disks contained a program for analyzing a person’s risk of getting AIDS, as well as malware that activated after an infected computer was powered on 90 times. After the 90th time, the malware hid directories and encrypted the names of all files on the C drive while displaying a message demanding payment. 

And unfortunately, the prevalence and damages caused by ransomware have exploded since that first 1989 incident. In fact, in 2017, the FBI reported that cybercriminals had netted over a $1 billion from exploiting their victims. This doesn’t account for the untold amount of damages caused by ransomware while the victims’ systems are down. For example, in 2021, the Colonial Pipeline ransomware attack resulted in the oil supply for much of the East Coast United States to be shut down resulting in gas shortages all across the eastern United States. And, even though the ransomware attack caused the pipeline to be shut down for many days causing huge business disruptions, Colonial ended up paying the ransom of $4.4 million dollars to be able to restore service.

Unfortunately, once this sort of attack has been executed, the only way to really solve it tends to be to successfully bargain with the hackers. Since they are the only ones with an encryption key to restore business data, it is very common for businesses to just pay the hackers their demand ransom to get on with business. These ransom payments are typically in the hundreds of thousands or even millions of dollars. 

While these attacks are of course illegal, and while the authorities will need to be involved, they typically have their hands tied with regards to helping victims much since the type of encryption used on the victim’s data just can’t be cracked without the only decryption key held by the hackers. It is normal in these circumstances for companies to hire boutique consulting firms who help clients navigate the negotiation between the victim and the perpetrating party.

Why did the Kaseya hack happen?

The exploit that led to hackers being able to gain access to Keseya’s software, their MSP clients, and subsequently the MSPs’ clients, was caused by a vulnerability in Kaseya VSA’s authentication process. This allowed the hackers to bypass authentication measures required on login into the VSA software leading to hackers being able to gain access to the information in each client network being managed by the MSP.

In addition, it appears that multiple attempts were made by public research organizations to alert Kaseya that their VSA platform had a handful of vulnerabilities. Reportedly, these vulnerabilities were pointed out to Kaseya as recently as 2021. And, while there hasn’t been an official report regarding the causes behind the VSA platform attack, it certainly isn’t a good look on Kaseya’s part to have reportedly ignored legitimate warnings about the security flaws in their authentication process.

Additionally, it is reported that Kaseya had a small exodus of employees after management continued to prioritize new features to be built into the VSA platform instead of prioritizing the fixing of security issues identified by the employees.

Again, it’s important to note that not all MSPs were using Kaseya VSA, so most MSPs (including Preemo) were not affected because they were using different software for remote network management.

What was done to remediate it?

According to Kaseya, they shut down the entire VSA platform for usage within 4 hours of spotting unusual activity in their software. Kaseya immediately began working to identify the problem and finding a good fix. And, while this was hugely disruptive to many MSP clients, and while the percentage of Kaseya’s customers affected by this hack is very low (fewer than 60 of their 36,000 customers), Kaseya wanted to limit the number of customers affected by this hack by shutting their software down completely.

In addition, since this ransomware attack is one of the largest in history, many public institutions, universities, and authorities have contributed to getting to the bottom of this attack in order to help the victims and understand how to prevent this in the future. One of the main investigators leading the charge on understanding the Kaseya VSA attack is the Huntress company. Check out their blog here if you’re interested in reading more about how they contributed to the ransomware remediation process for this particular attack.

What are the risks of a ransomware attack?

If you have or ever do find yourself the victim of a ransomware attack, know that you’re not alone. Hundreds of ransomware attacks affect companies of every size each year. And the risk of the attack varies by the type of business affected. For example, in a more extreme case, a doctor’s office losing access to its patient files due to a ransomware attack means all the patient info is lost unless the doctor pays the ransom. So, basically, the risk of a ransomware attack is whatever risks come along with losing access to all of your company data. Whatever the answer to that question is, that’s the risk of a ransomware attack on your company.

While ransomware attacks through software distribution channels are becoming more common, ransomware attacks can, and still do, happen to individual companies. For the recent Kaseya attack, a vulnerability made it possible for criminals to take advantage of hundreds of companies at once. However, to successfully carry out a ransomware attack, the perpetrators really only need 1) to have access to your business-critical data and 2) for you to not have a backup of business-critical data. While there isn’t a lot you can do about avoiding downstream software attacks like the Kaseya VSA one, you can do a lot to shore up your vulnerabilities as an individual company.

The best thing to do if you’re worried about a potential ransomware attack on your business is to take a quick look at the official Cybersecurity and Infrastructure Security Agency (CISA) guidelines. Among the lowest-hanging steps you can take to avoid ransomware attacks according to CISA:

  • Provide social engineering and phishing training to employees. 
    • Urge them not to open suspicious emails, not to click on links or open attachments contained in such emails, and to be cautious before visiting unknown websites.
  • Remind users to close their browser when not in use.
  • Have a reporting plan that ensures staff knows where and how to report suspicious activity.

Why Preemo was not affected

Preemo, like many other MSPs, relies on remote monitoring management (RMM) software to remotely maintain the network of many different clients. While just about every MSP uses some form of this software to be able to manage their clients’ networks, there are many of these RMM tools on the market. So, the number of affected companies affected by this attack is relatively low just due to the fact that most MSPs use other RMM providers besides Kaseya.

Preemo uses an RMM called ConnectWise and not Kaseya VSA. We chose ConnectWise instead of Kaseya VSA precisely because of ConnectWise’s industry reputation and its dedication to security over features. We take a no-compromise approach to security. We not only thoroughly vet vendors (like RMM software vendors) before signing contracts to work with them, but we also keep a close eye on security updates from these vendors to make rolling decisions about whether we want to work with them going forward based on how serious they take security.