The ransomware threat group that calls itself REvil made use of a vulnerability in IT management software from Kaseya to attack over 1,000 businesses late last week. The attacks pivoted through at least eight Managed Service Providers (MSPs) employed by those businesses to remotely manage their workstations and servers, and used the vendor trust relationship and access that the MSPs had to install ransomware on their clients computers. On Friday, the REvil gang set the initial ransom for the over one million affected devices to $70 million USD. That price is for the universal decryptor, which would unlock all of the devices hit with the ransomware. It should be noted that REvil allegedly has dropped the prices to $50 million and is apparently willing to negotiate on price. Currently, it is not known if any of the victims have paid the ransom.
REvil Sets Ransom Close to 70 million for Universal Decryptor
Had REvil not lowered the ransom price, if the ransom were honored, it would have been the highest-paid ransom to date. Another issue to consider is the scope of the attack and the hundreds of organizations affected because of how many MSPs rely on Kaseya VSA to manage the workstations and servers of their customers. As more information comes down from the multiple incidents being responded to, it is important for MSPs and their clients to consider together how to best limit the potential for harm that is inherent in any trusted remote administration of resources. For example, instead of adding all of the folders where the MSP’s management software runs to an antivirus exclusion list, it may be more useful to profile the expected activity of the management software and allow specific actions, but not open the door to allowing virus-like behavior or at least alert and quickly respond to stop further harm. Managed Service Providers can provide more value to their clients by integrating security operations or partnering with a security provider to monitor for anomalous behavior and halt malicious activity—including suspicious actions taken by the MSP’s management software itself.