ST. LOUIS– Hundreds of businesses across the country are still under attack from ransomware following a cyberattack involving Kaseya, an IT management software company. The group behind the attack is demanding $70 in bitcoin to unlock files for all the victims.
While reports say anywhere from 800-1500 Kaseya customers have been hit it’s believed the number impacted is even higher. The attack involved Kaseya software used by Managed Services Providers (MSPs). Each of the MSPs hit also have several clients impacted by the ransomware.
Blade Technologies in St. Louis, Mo. is one of these MSPs. Scott Schaffer, the Chief Information Security Officer at Blade Technologies, says these kinds of attacks often happen on holiday weekends when fewer people may be in the office. That was the case with the SolarWinds breach last year.
Schaffer said the proposed perpetrator of the attack is someone who worked with REvil, a company that sells software to perpetrators. He says you may never know who was behind the actual threat but it definitely came from REvil’s software.
Schaffer says the group behind the attack compromises a “zero-day” flaw in the Kaseya Agent Monitor. That is a flaw that no one knew existed, even Kaseya. Once the agent monitor was breached, a file was dropped on a computer into a directory that wasn’t scanned by malware detecting software.
He says the attackers then run a command to disable defenses so the attack will be undetected. The attackers then will run another command to install the encryption software and the wallpaper on the computer changes and a ransom note goes up.
Schaffer says the most important thing your company or organization can do if it outsources network monitoring to an MSP is ask it how it is protecting your information.
He says don’t just ask that once, ask it frequently. Schaffer says any MSP doing it the right way will welcome that question.
Kaseya is updating clients on its website and the Chief Technology Officer recently gave a briefing on the next steps for customers. You can see the updates here.