Understand the Cyberattack that Affected Kaseya

On July 2, a Russian group of hackers exploited a flaw in the Kaseya company’s management software, affecting its systems and causing problems for it and its customers.

The massive cyberattack affected around 1,500 businesses in 17 countries. The attackers promised to return access to the data in exchange for 70 million dollars, equivalent to 364 million reais.

Hackers promised to release a decryptor so that all files could be recovered in at least an hour after paying the ransom.

Known as “REvil”, the organization claimed responsibility for the virtual attack on Kaseya. It was also responsible for the invasion that halted production at JBS, the world’s largest meat processor, in June this year.

Domino Effect

Headquartered in Florida, United States, Kaseya is responsible for the remote monitoring and management program used by more than 40,000 companies. Of these, only 60 were directly affected by the cyberattack.

However, as many of Kaseya’s customers provide services for other businesses, the systems are interconnected in a network.

This connection resulted in a domino effect, as the installed malware quickly spread and encrypted the files it found along the way.

The supermarket chain Coop, in Sweden, had to suspend the operation of its stores because it was unable to use the cash register system, which was managed by one of Kaseya’s client companies.

How Did the Invasion Take Place?

The type of virus was ransomware that can encrypt computer files. Access is only granted upon payment of a ransom to the hacker, that is, it is like a data hijacking in the digital world.

In this type of cyberattack, ransomware infiltrates frequently used software and spreads as systems are updated.

Encryption is the practice of encoding data, causing it to no longer have the original format and, therefore, no longer be readable by its owners.

Files can only be decrypted and returned to their original format through the use of a specific decryption key. It is for this key that Russian hackers ask for the ransom, as without it the data becomes useless.

Measures

This can be considered the biggest cyber-attack with ransomware of all time, as it reached a proportion never seen before in similar cases.

Kaseya asked customers using its system administration platform, VSA, to immediately shut down their servers to try to prevent the possibility of their information being captured by the cyberattack.

The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Agency (CISA), among other US officials, assisted in the investigations.

US President Joe Biden has warned Russian leader Vladimir Putin to take action against hackers who have been operating in Russia for a long time.

On July 12th, Kaseya has reported that it had fully recovered the servers. These attacks are an increasingly profitable way to take hostages in the virtual universe.

How Does the Russian Group Operate?

REvil, also called Sodinokibi, is one of the best-known hacker gangs today. It operates with dozens of individuals in a “professional” regime with the division of tasks.

While one part of the group invades the systems, the other is responsible for constantly maintaining the ransomware, managing the group’s financials, and negotiating the rescue of the data with the victims.

Hackers drive the attack into double extortion mode, which occurs when Internet hackers take control of the network, extract important and sensitive data, and activate ransomware that encrypts victims’ data.

Then, they ask for a ransom in cash or bitcoins so that they return control of the data and do not disclose the information obtained illegally.

The group explored a series of “zero-days” in the product that allows it to bypass its authentication, arbitrarily upload files, and install pirated software.

With this, they can use a series of tactics and tools to move around the network and have access to all the files that are present.

A tool from Kaseya itself may have been used to take control of the system and activate the malicious software, as it has high-level access privileges on the machines, passing in an authorized way through antivirus.

The exact form used by the group is still unknown, however, the flaws of the American company’s protection to its systems became clear.