What is Kaseya?

Kaseya is an international  IT company with headquarters in Miami, Florida. Kaseya helps companies manage their information technology and often sells its technology to third-party service providers, which manage IT for small- and medium-sized businesses. In short, by targeting Kaseya, the hackers managed to infiltrate a dozen more third-party firms that rely on Kaseya’s tools and up to 1500 businesses downstream. This included businesses like dentists’ offices, small accounting offices, and even small restaurants.

How it Started

On July 2, Kaseya CEO Fred Voccola publicly announced a potential breach confined to a small number of customers. By July 4, the company had upgraded its classification of the incident to a “sophisticated cyber attack.”

Kaseya shut down its SaaS servers and put its data centers offline in an attempt to damage control. “In light of these reports, the executive team convened and made the decision to take two steps to try to prevent the spread of any malware: we sent notifications to on-premises customers to shut off their VSA servers, and we shut down our VSA SaaS infrastructure,” the company says.” According to Kaseya CEO, the company worked with cyber forensic experts, Homeland Security, the FBI, and the White House to try and resolve the situation.

“Since Friday, the United States Government has been working across the interagency to assess the Kaseya ransomware incident and assist in the response,” said Anne Neuberger, deputy national security advisor for cyber and emerging technology, on Sunday. “The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) have been working with Kaseya and coordinating to conduct outreach to impacted victims.”

In an update on July 5th, Kaseya said they had developed a fix for the software vulnerability and would deploy it to their third-party vendors.

Who is Behind the Attack?

The infamous Russian hacker group REvil publicly claimed responsibility not long after the attack. The group is believed to operate out of Eastern Europe or Russia and is one of the most well-known “ransomware-as-a-service” providers. The group typically supplies tools for others to carry out ransomware attacks and takes a cut of the profits. It also executes some of its own attacks.

REVil also spearheaded the recent ransomware attack on meat producer JBS, forcing the company to pay an $11m ransom. Last Monday, the attackers demanded Kaseya pay a $70 million payment in bitcoin in exchange for a decryption tool that could help victims of the attack recover.

The Fallout

According to updated reports, the ripple effects from the breach have been felt in multiple countries outside the U.S. In Sweden, 800 supermarkets had to close when their cash registers were rendered inoperative, and in New Zealand, many schools and kindergartens were knocked offline. Current estimates show that over 70 third-party service providers were impacted and between 800 and 1500 downstream businesses.

White House spokeswoman Jen Psaki stated that senior US officials would meet their Russian counterparts next week to discuss the ransomware menace.“If the Russian government cannot or will not take action against criminal actors residing in Russia, we will take action or reserve the right to take action on our own,” she said.

Other political figures such as Rep Eric Swalwell have also commented on the attack saying, “These attacks threaten both the economy and national security. Businesses are outmatched, and criminal organizations are holding them hostage. Ransomware is a threat to any person, business or organization that relies on computers.”

Kaseya has not officially said if they are considering paying the ransom, but most experts believe that they would decide against it. The reason behind this is that Kaseya’s data backups were allegedly not deleted, providing the ransomware group less leverage than they might have anticipated.

What Should We Learn?

The biggest takeaway from the Kaseya hack should be that third-party risk should be treated similarly to first party risk. The reason the Kaseya hack was so successful was because the hack spread through Managed Service Providers, third-party companies that allow smaller businesses to outsource certain services.

These MSPs served as an attack vector for cybercriminals to spread their ransomware amongst smaller businesses. A very similar situation played out last year when SolarWinds, a company that similarly provided IT management software to many Fortune 500 firms and government agencies, was breached.

One cybersecurity expert stated, “In many cases, there are no technical checks on software updates coming from these providers because they are considered “trusted” partners, potentially leaving customers vulnerable to bad actors that could embed ransomware payloads into those updates.”

An effective strategy that companies have been using to manage Third-Party risks and liabilities is through cyber insurance with third party coverage. Since companies typically have little insight into the cybersecurity capabilities of their third party partners, cyber insurance can be an excellent safeguard to protect companies from breaches that might trace back to them. With some insurance policies, your company may be able to file a claim if your business is harmed as a result of a third party cyber incident.

For companies impacted by ransomware directly or through a vendor, having an insurance policy can provide an invaluable cushion from financial and reputational damage. It can also help organizations get back on their feet and avoid large business losses that stem from pauses in operation. Typically if a policy covers business interruption and extortion, the insurer will cover the insured’s profit that the latter would have earned if there had been no service interruption.

The age-old proverb, ‘An ounce of prevention is worth a pound of cure,’ applies to modern cybersecurity, too. The best thing for businesses to do is to learn from high profile breaches like Kaseya and take proactive steps to secure their business from digital threats.