Ransomware and supply chain attacks were the most prevalent cybersecurity threats today. It was likely that they would combine to cause havoc. It was Friday afternoon that the notorious REvil criminal organization successfully encrypted hundreds of businesses' files using compromised IT management software. This is just the beginning.It is still unclear how the attackers got into the software. The impact is already severe, and it will only get worse due to the nature of the victims. Kaseya VSA is a popular software among managed service providers. These companies provide IT infrastructure to companies who would rather have it outsourced than manage it. This means that you can hack any MSP and gain access to its customers. This is the difference between hacking individual safe-deposit boxes and stealing the skeleton keys of bank managers.According to Huntress security company, REvil has so far hacked eight MSPs. Huntress' three companies directly represent 200 of the businesses that had their data encrypted on Friday. You can easily extrapolate to see how much worse it is, especially considering Kaseya's ubiquitous nature.Jake Williams, chief technology officer at BreachQuest, said Kaseya is the Coca-Cola for remote management. We won't know how many victims there are until Tuesday or Wednesday next week because we are going into a holiday weekend. It is massive.Worst of both WorldsMSPs have been a favorite target for hackers, especially from nation-states. If you have the ability to manage it, hitting them can be a very efficient way of spying. In 2018, China's elite APT10 spy group used MSP compromises in order to steal data from dozens upon dozens of companies. REvil also has used MSPs to attack before. It used its foothold in a third-party IT company in 2019 to take over 22 Texas municipalities.As supply chain attacks become more common, such as the SolarWinds attack last year which allowed Russia to access multiple US agencies and many other victims, it has also been increasing in frequency. Supply chain hacks, like MSP attacks have a multiplicative impact. One software update can lead to hundreds of victims.It is clear to see why an attack on MSPs in a supply chain can have potentially devastating consequences. Add in ransomware that is system-crippling and it becomes more difficult. This brings back the NotPetya disaster, which used a supply-chain compromise to spread ransomware that initially appeared to be ransomware. However, it was actually a Russian nation-state attack. Another recent Russian campaign is also in mind.This is SolarWinds with ransomware. Brett Callow, an analyst at antivirus company Emsisoft, said that this is SolarWinds. A single MSP can compromise hundreds of users if it is compromised. In this instance, it appears that multiple MSPs were compromised.Williams from BreachQuest says REvil is asking victims companies for roughly $45,000 in cryptocurrency Monero. The demand for payment doubles if they don't pay within one week. BleepingComputer, a security news site, reports that REvil asked for $5 million from some victims to unlock all PCs in your encrypted network. This may have been targeted at MSPs rather than clients.John Hammond is a senior security researcher at Huntress. We often speak about MSPs as the mother ship for many small to medium-sized businesses and organizations. Bad actors have just stolen all their mother ships if Kaseya is the target.
