Skip to main content

Kaseya ransomware attack: The knock-on effect of the cyberattack on managed service providers

Ransomware
(Image credit: Image source: Shutterstock/Nicescene)

Ransomware continues to be one of the top threats to Managed Service Providers (MSPs), critical infrastructure organizations and government agencies at all levels. As threat actors continue to evolve their strategies and increase demands, organizations are feeling the pressure of defending themselves against one of the greatest risks in the current cybersecurity environment. 

The recent ransomware attack on Kaseya has demonstrated the very real risk facing organizations today. The attack on the U.S. information technology firm left between 800 and 1,500 businesses around the world affected by the ransomware attack, along with a $70 million demand to provide a universal decryptor key for all affected organizations.

The Kaseya attack is especially dangerous because the company is used by many MSPs that trust it to handle their IT functions such as endpoint inventory, patching, and software deployment. The damage caused by the Kaseya cyberattack is obviously likely to extend further than just the MSPs directly affected by the threat since each MSP would usually serve a large number of end customers.

The impacts of the Kaseya attack have highlighted the need for MSPs to act with urgency when it comes to cybersecurity. Aside from planning their response to a successful future attack, organizations should keep their prevention and detection technologies top of mind.

The growing need for MSP ransomware protection 

Ransomware is a fast-growing threat affecting organizations of all sizes and industries. Cybersecurity Ventures predicts that the damage caused by ransomware could cost the worldwide stage $265 billion by 2031. 

Over recent years, ransomware has grown from a moderate risk to major headline-grabbing news, and attackers’ capabilities have also developed over time. From the relatively “simple” threat of data lockouts once synonymous with ransomware attacks, ransomware groups now pose even greater risks, it’s very common practice to steal copies of data prior to encryption in an effort to extort a payment in the event that the organization chooses to restore and rebuild rather than pay up a ransom. 

Ransomware attacks are especially harmful to MSPs due to their links to multiple business networks. MSPs such as those affected by the Kaseya attack may have direct or indirect access to multiple systems across many businesses, and the spiral effect this can have is illustrated by this attack. 

Defending against these types of attack requires both prevention, as well as detection and response capabilities. Whilst the initial threat vector may have been a zero-day, behavioral analytics could have detected unusual activity such as resource access, or unexpected command being issued.

Implementing a properly configured security monitoring solution that has full visibility into the environment with robust automated response capability would go some way to helping organizations such as Kaseya and its MSP customers to identify ransomware attacks before they can take hold. It’s interesting to note that the compromise was to on-premise deployments rather than the SaaS offering, and organizations might do well to evaluate if they are monitoring devices that perform network management tasks “Quis custodiet ipsos custodes” may be particularly salient!

Implementing a proactive response and strategy 

Ransomware attacks are increasing in frequency and seriousness. The Kaseya attack has once again highlighted the need for MSPs to adopt a long-term cybersecurity strategy to protect its customers. To combat the devastating effects of ransomware, MSPs need to consider a comprehensive set of cybersecurity solutions to mitigate and defend against future attacks.

MSPs should review their incident response plans in response to this incident and develop an incident response (IR) plan that is explicitly focussed on a ransomware attack. The IR plan should detail the specific actions that security teams should take as soon as it becomes apparent that an attack is underway. This will help to ensure a prompt response in a situation where time is of the essence to stop or contain a serious situation. At the same time, MSPs should revisit their disaster recovery plans. A defined plan can reduce the impact of an attack targeting an organization. Indeed the CEO of Kaseya stated that their response was made easier by the fact that they had a playbook to follow, even though they would have preferred not to have to enact it.

Ransomware is particularly harmful to businesses due to its ability to destroy backup files and encrypt regular files, causing major organizational damage. It is imperative that MSPs frequently back up all documents to a location that can’t be affected by the ransomware and then verify that these files can be restored easily if needed. Even network shares or cloud storage may not be entirely safe, as files that have already been encrypted or corrupted by the ransomware could be automatically backed up to the network or the cloud, also corrupting the files in those storage locations.

Whilst not a factor in the case of Kaseya, user awareness training is an effective means to teach people how to avoid falling victim to phishing email messages which is the most common attack vector. Many attackers rely on social engineering tactics that are growing more and more sophisticated. MSP teams as well as the wider IT User Community need to learn what to expect, and maintain a high level of attentiveness to avoid infection.

To further protect their operations, MSPs can deploy endpoint protection tools that have the ability to detect and automatically respond to infections in the early stages.  Endpoint protection tools can be used to detect these infections early and respond to them automatically and quickly so that they don’t become major incidents. Threat intelligence sources can be implemented to block and alert on the presence of anomalies associated with ransomware within network traffic. 

Preparing for a threat secure future 

Ransomware attacks against MSPs are an established and growing threat. Due to the sizeable gains for threat actors, these types of attacks are continuing to trend within the cybersecurity landscape, resulting in greater financial and reputational losses for organizations that fall victim.

Recovering from a ransomware attack takes time as well as a proactive response to mitigate future attacks. The next six months will be critical to Kaseya and its MSP customers, in addition all organizations providing remote IT services should take note and review their cybersecurity posture. Combatting ransomware threats requires the right mix of proper security hygiene as well as a solid cybersecurity strategy including multiple prevention and detection capabilities. To ensure the future of their operations, MSPs need to consider a long-term approach to a threat that is set to remain firmly on the radar of cybersecurity teams for years to come.

Andrew Hollister, Vice President, LogRhythm Labs

Andrew oversees oversee the LogRhythm Labs EMEA team to advance LogRhythm’s vision for providing unrivalled machine data intelligence, pre-packaged solutions for holistic threat detection and compliance automation.