If you compared the compromise visually in scope and impact to all of the breaches from Jan 2017 to April of 2021 (represented in the graph below), it would be about 1 pixel in size. It is so small that you would think you just need to clean your monitor. Most of the 1,500 customers impacted were very small companies with just a few employees (not even hundreds). The single largest customer impacted was the middle-tier grocery store Coop (located in Sweden). Sadly, 800 of their stores were down in Sweden due to their POS systems being locked out. Thankfully, it wasn’t IKEA. I mean where would we get that futon?
This Kaseya attack was reminiscent of the SolarWinds fiasco earlier in 2021, where attackers managed to compromise software to push a malicious update to thousands of customers. The attackers in Kaseya’s case (REvil) exploited a previously unknown flaw in Kaseya’s VSA software, which is used by Managed Service Providers (MSPs) and their customers. The VSA software is a remote monitoring and management package, which is used to manage endpoints, such as PCs, servers, and cash registers, as well as manage patching and security vulnerabilities. So, it was only the cash registers or Point of Sale (POS) systems that experienced the lion’s share of the problems – well at least for now, and that should be something of a respite?
REvil asked for $70 million in exchange for a universal decryption tool that would supposedly resolve the REvil issue for Kaseya and its customers. The great thing about groups like REvil is that they always make good on their promise to resolve the issue when you pay. At least they are honest thieves, right? I mean, if you have to deal with a thief you would rather deal with an honest and trustworthy one.
REvil operates its platform as RaaS (Ransomware as A Service). It recruits affiliates to distribute the ransomware for them. As part of that business arrangement, the affiliates and ransomware developers split the revenue generated from ransom payments. IIt is difficult to pinpoint REvil’s exact location, but everyone knows it is somewhere in Russia (or in one of the ‘Stans’ – Kazakhstan, Tajikistan, Uzbekistan, Kyrgyzstan, Turkmenistan, Afghanistan, Pakistan, and the ever popular Ransomwareistan), and we won’t be able to do much no matter how much we may hate the sneaky devils. They are no stranger to the extortion game (which is really what this is – ransomware is just the vehicle for it). 5 days after Kaseya, REvil hacked the computers of Florida-based space and weapon launch technology contractor HX5. They count the Army, Navy, Air Force, and NASA among its clients. But still not a major news story as the publicly released stolen documents on their “Happy Blog” were documents judged to be not of “vital consequence” by the government. At any rate, the big thing to take away from this incident is that it is likely the tip of a larger spear. REvil and it’s coven of other extortionists are simply practicing on the lesser of the herd before trying to take down one of the larger mammoths.