Since last week, I’ve been speaking with Splunk customers and our own team about the cyberattacks impacting the Kaseya software platform. While Splunk was not impacted by the ransomware attack, as a security leader we want to help the industry by providing tools, guidance and support. It’s critical that we work together as a community to counter cybersecurity threats and share information about events like these.

Following the July 3, 2021 news of a ransomware attack targeting Kaseya, a US-based software developer that supplies managed service providers (MSP), more information about the incident, including additional indicators of compromise (IOC) have now been shared. Reportedly the "biggest ransomware attack on record" according to some, initial reports suggested that Kaseya themselves were compromised and their network management software, VSA, was compromised to deploy a ransomware threat to their customers.

On July 3, 2021, Kaseya reported1 a potential attack against its Virtual System/Server Administrator (VSA) that apparently had been limited to a small number of on-premises customers. Kaseya recommended an immediate shutdown of the VSA server until further notice. The small number of affected customers grew to thousands in just a few hours.

On the afternoon of July 2, 2021, Kaseya reported that it had been impacted by a ransomware attack affecting its Virtual System Administrator (VSA) product and advised users to shut down VSA servers immediately. Initial reporting indicates this was a well-orchestrated supply chain attack impacting about 60 managed services providers (MSPs) and up to 1,500 client organizations by leveraging a zero-day vulnerability (CVE-2021-30116).

The reason why ransomware is more rampant today is simple: it’s lucrative for hackers. As high-profile examples of ransomware continue to skyrocket concerning the amount of ransom paid, hackers will only continue to pursue it as a strategy.

The REvil ransomware (a.k.a Sodinokibi) is a threat group that operates in the RaaS (Ransomware-as-a-Service) model, where the infrastructure and the malware are supplied to affiliates, who use the malware to infect target organizations. On July 2, the REvil threat group launched a supply chain ransomware attack using an exploit in Kaseya’s VSA remote management software. REvil claims to have infected more than one million individual devices around the world.

Users of Elastic Security are protected through numerous layers of protections against the REvil ransomware that affected Kaseya VSA and its customers. Elastic Security’s layered protections prevented 100% of the REvil ransomware samples tested before damage and loss could occur to the business. We believe that detections and preventions must be layered, as no single protection works 100% of the time.

Ransomware groups are becoming more boastful and even advertising for affiliates, according to a recent article. Read more to see which groups are more active and how to defend your organization.

Ransomware attacks are on a steep upward trend and the gradient isn't softening its progression. In Q3 2020, ransomware attacks have increased globally by 40% to 199.7 million cases. In the U.S. alone, attacks have increased by 139% year-over-year, totaling 145.2 million cases in Q3 2020. The impetus to the sudden recent spike in ransomware attacks, was the dramatic shift from a linear attack model, to an insidious multi-dimensional Ransomware as a Service model.

The recent slate of breaches and regulatory actions has prompted many companies who had been doing the minimum in terms of proactive cyber risk management to rethink their approach. In the U.S., new regulations are emerging (for states like Virginia, Colorado, Massachusetts and many others), and existing regulators are increasing their enforcement, as we’ve seen by the NY Dept of Financial Services (NYDFS) and the SEC.