Press "Enter" to skip to content

Tools provider Kaseya attacked

The biggest news of the IT services world over the weekend is the supply chain attack against MSP provider Kaseya.    The company indicates it affects about 1,500 companies, and reportedly around 70 managed services providers within that, and the attackers are demanding $70 million in ransom, which they will provide a universal decryptor if paid in a lump sum for the universal decryptor.  The REvil gang has been actively increasing ransoms to victims individually during the attack.

Among the high profile victims – a Swedish grocery store change, a public broadcaster, schools, and a national railway system.   Kaseya had been in the process of fixing the issue, just as the ransomware gang REvil attacked.  

The White House has called for US Intelligence agencies to probe into who was behind the attack.   CISA issued a warning as well.

As of this recording, Kaseya is bringing their SaaS cloud online Tuesday afternoon, and anticipates a patch for the on-premises version on Wednesday.  

Why do we care?

 

I’m not going deep on this today – there will likely need to be a bigger piece to cover all the implications for IT services providers.  There are some initial items to care about.  

That universal decrypter was interesting to me — REvil were smart enough to understand multi-tenancy in the context of MSPs.   I’ve said before that’s a key attribute of a vendor looking at the MSP space.  Note how those attacking the space figured that out too.  

Also of note — embedded in the FBI warning is that due to the scale, they would not be able to follow up on every case individually.  That should terrify providers — this is too big for them to help you… for whatever reasons.    An open point to care about – how should law enforcement be funded.

This hack got massive media coverage – international spread, and Kaseya’s own CEO was on Good Morning America.  While SolarWinds was about espionage, this attack is about money.      Now, we put it in context.  This is Kaseya’s third breach I’m aware of.   It’s also not the first against a provider serving the MSP space.    While it’s a huge one… it was also warned about by CISA, who had identified MSPs as a target.     And I predict this will not be the last.  So the question to care about – what to do differently?  

.    The company indicates it affects about 1,500 companies, and reportedly around 70 managed services providers within that, and the attackers are demanding $70 million in ransom, which they will provide a universal decrypter if paid in a lump sum for the universal decryptor.  The REvil gang has been actively increasing ransoms to victims individually during the attack. 

Among the high profile victims – a Swedish grocery store change, a public broadcaster, schools, and a national railway system.   Kaseya had been in the process of fixing the issue, just as the ransomware gang REvil attacked.  

The White House has called for US Intelligence agencies to probe into who was behind the attack.   CISA issued a warning as well.

As of this recording, Kaseya is bringing their SaaS cloud online Tuesday afternoon, and anticipates a patch for the on-premises version on Wednesday.  

Why do we care?

I’m not going deep on this today – there will likely need to be a bigger piece to cover all the implications for IT services providers.  There are some initial items to care about.  

That universal decrypter was interesting to me — REvil were smart enough to understand multi-tenancy in the context of MSPs.   I’ve said before that’s a key attribute of a vendor looking at the MSP space.  Note how those attacking the space figured that out too.  

Also of note — embedded in the FBI warning is that due to the scale, they would not be able to follow up on every case individually.  That should terrify providers — this is too big for them to help you… for whatever reasons.    An open point to care about – how should law enforcement be funded.

This hack got massive media coverage – international spread, and Kaseya’s own CEO was on Good Morning America.  While SolarWinds was about espionage, this attack is about money.      Now, we put it in context.  This is Kaseya’s third breach I’m aware of.   It’s also not the first against a provider serving the MSP space.    While it’s a huge one… it was also warned about by CISA, who had identified MSPs as a target.     And I predict this will not be the last.  So the question to care about – what to do differently?