Hackers use popular RMM tool to launch record-breaking ransomware attack

On 3rd July 2021, Russian-linked hacking group REvil implemented the biggest ransomware attack on record – resulting in thousands of companies in 17 countries worldwide (and counting) being affected.

The attack was so effective, thanks to its method of infecting Kaseya RMM software (used by Managed Service Providers or MSPs, who offer outsourced IT support to their own roster of clients), that the hackers have given up trying to extort funds from individual businesses and are now demanding $70m (£50.5m) to issue a decoder key to all companies affected.

Supply chain attacks: the snowball effect
This kind of supply chain attack, designed to create a snowball effect, where customers of the infected software infect their customers in turn, is clearly a particularly lucrative method for the hackers, so it’s likely we might see more of the same in future. Indeed, Stateside statistics show that supply chain attacks rose by 42%, impacting up to seven million people.

REvil is boasting that they have infected more than a million devices, and chances are they’re banking on insurers deciding that the ransom amount will be lower than the costs of continued business disruption.

It’s still not known how many UK companies have been affected (although this is currently being investigated by the National Cyber Security Centre, which is part of GCHQ), but it’s been confirmed that organisations in the US, Canada, Sweden, New Zealand, the Netherlands, South Africa, Germany and Colombia have been compromised. Most are smaller firms – the type likely to use outsourced IT support rather than have in-house departments,

Will we ever discover the true impact of this audacious hack?
Some companies have been confirmed to have suffered as part of this record-breaking ransomware attack – for example, most of the 800 grocery stores owned by Swedish retailer Coop were closed for several days because its till software supplier was crippled, while two big Dutch IT services companies were reportedly affected, and schools in New Zealand were also said to have suffered a breach. However, it’s not common for ransomware victims to declare publicly that they’ve been the subject of an attack, or that they’ve paid ransoms, so the true number of organisations affected could be much, much higher than we currently know.

Kaseya has announced that the attack only affected ‘on-premises’ customers – who run their own data centres, as opposed to using cloud-based services – and on Friday called customers to shut down their VSA servers. The company says it hopes to have a patch issued within the next few days. In fact, it’s been reported that Kaseya was already aware of the zero-day vulnerability (having been alerted by the Dutch Institute for Vulnerability Disclosure), but the hackers beat the Kaseya team, who were just validating the patch, before rolling it out, when the attack began.

IT community works together to effect recovery
Hearteningly, the IT community appears to be pulling together to help solve the problem of the sheer number of companies affected – there’s certainly a resource problem when every single one of an MSP’s customers require critical support at the same time. There’s a Reddit thread, started by cybersecurity specialist Huntress Labs, which offers an insight into what’s been happening with this particular attack, and encourages affected MSPs to make contact, so that they may be matched with another suitable MSP who is unaffected, and has spare capacity.

Prevention is better than cure
But there is an easy way to make sure that a company’s data can never get held to ransom in this way: backups.

With proper ransomware protection – where your backup files are immutably protected from deletion even when undergoing an attack – you can avoid your data being held hostage by cybercriminals. If affected by a supply chain breach (or any other kind of hacking technique) you can simply restore your business data and applications, quickly and easily, avoiding business disruption, and crucially avoiding any financial outlay.

At Vitanium we manage everything ourselves – from start to finish. This means that not only will we ensure that the system is correctly configured from the outset, but we use our own ISO27001 and ISO9001 accredited data centres, and we offer unrivalled support by our UK team. Whether you need a backup, or require support with any storage solution challenges, we’re speedily on the case.

To find out more about our ransomware protection solutions – facilitated by our technology partners, Zadara and Veeam – get in touch with our friendly team today.