The Kesaya Ransomware Attack is a Really Big Deal

Link to tweet

https://www.lawfareblog.com/kesaya-ransomware-attack-really-big-deal

If you’re not already paying attention to the Kaseya ransomware incident, you should be. It’s likely the most important cybersecurity event of the year. Bigger than the Exchange hacks by China in January. Bigger than the Colonial pipeline ransomware incident. And, yes, more important than the SolarWinds intrusions last year.

First, some background. Kaseya is a managed service provider; its customers use Kaseya to manage their company IT infrastructure. As part of this task, Kaseya can deploy software to the systems under management, in a way that is broadly equivalent to a software provider deploying an automatic update to those machines. For those interested in more, Nick Weaver wrote a piece for Lawfare that walks through the background in depth.

Under normal circumstances, automatic software deployment, especially in the context of software updates, are a good thing. But here this feature was turned on its head. Russian-based criminal gang REvil hacked into Kaseya’s management system, and pushed REvil software to all of the systems under Kaseya’s management. From there, the ransomware promptly disabled those computers and demanded a cryptocurrency payment of about $45k per system to set the machines free. As of writing, REvil claims that about a million total computers were affected, and is offering a “bulk discount” of $70m to unlock all affected systems in a single payment.

Although the direct impact is already enormous, to me, the direct impact is, in some sense, far less important than the issue of how the incident occurred, namely by subverting software delivery mechanisms as a means to install ransomware.

*snip*