Client Advisory: The Kaseya Ransomware Attack

On July 2^nd, software service provider Kaseya reported a cyberattack affecting its Virtual System Administrator (VSA). Kaseya reported that hackers, believed to be from the Russia based REvil Corp, penetrated their network by exploiting a vulnerability in its software code. The threat actors were able to embed malware into their network which allowed it to carry out ransomware attacks against approximately 50 of their clients. Hackers were then able to launch attacks from those victims to several of the victim's clients. As of this writing it is believed that a total of 800 to 1500 organizations were impacted¹. It remains unclear how many will ultimately be affected.

The REvil Corp hackers initially demanded ransom payments up to $5 million from individual victims, then offered a demand of $70 million in payment in return for a universal decryption tool for all victims. As of this writing there has been no confirmation on whether or not any ransom payments were made.

How to Protect Your Organization

Immediately after the attack, Kaseya has recommended that its clients shut down VSA servers in an effort to contain the damage. Read the full alert

The Cybersecurity & Infrastructure Security Agency ("CISA") in coordination for the FBI, offered additional guidance in their own alert. Read the full alert.

Specifically, CISA and the FBI recommends the following steps for managed service providers ("MSP"s) and their clients to mitigate the attack²:

Download the Kaseya VSA Detection Tool. This tool analyzes a system (either VSA server or managed endpoint) and determines whether any indicators of compromise (IoC) are present.
Enable and enforce multi-factor authentication (MFA) on every single account that is under the control of the organization, and—to the maximum extent possible—enable and enforce MFA for customer-facing services.
Implement allow listing to limit communication with remote monitoring and management (RMM) capabilities to known IP address pairs, and/or
Place administrative interfaces of RMM behind a virtual private network (VPN) or a firewall on a dedicated administrative network.
Ensure backups are up to date and stored in an easily retrievable location that is air-gapped from the organizational network;
Revert to a manual patch management process that follows vendor remediation guidance, including the installation of new patches as soon as they become available;
Implement:
- Multi-factor authentication; and
- Principle of least privilege on key network resources admin accounts.

Leveraging Cyber Insurance

Cyber insurance and other insurance policies may provide assistance to organizations that believe they were victimized by the attack. Many stand-alone cyber policies provide access to crisis services, including breach coaches, IT forensics investigators, and several other breach response experts. Those with cyber insurance should be mindful of claim reporting obligations, requirements to utilize insurance panel breach response vendors, evidence preservation and issues that may impact attorney-client privilege.

For additional information regarding cyber insurance coverage, please contact your Gallagher team member.

John Farley

Managing Director — Cyber Liability Practice

New York, NY

Phone Number (212) 763-3424

Sources:

¹Kaseya ransomware attack: Up to 1,500 businesses affected by REvil attack says company - CNN

²CISA-FBI Guidance for MSPs and their Customers Affected by the Kaseya VSA Supply-Chain Ransomware Attack - CISA