In the Kaseya ransomware attack the REvil threat actor group achieved exponential reach by compromising a tool that managed service providers (MSPs) use to manage their customers networks to encrypt the networks of those companies that were customers of the MSPs. Current estimates are that around 60 of Kaseya’s MSP customers were compromised and that the total number of companies impacted (the MSPs’ customers) is around 1,500. Now the threat actors are demanding $70 million for a universal decryptor to decrypt all of the companies that were hit.
That is bad. But, apparently, it could have been much worse — it could have been truly catastrophic. According to Kaseya, this attack was stopped quickly and only had limited impact. Let this excerpt sink in for a moment:
Kaseya stressed that the number of groups hit by the attack would have been far higher — as many as 1 million companies managed by Kaseya’s 35,000 customers — but that the breach had only a “limited impact.”Up to 1,500 companies compromised by ransomware attack on Kaseya, The Hill
That is really bad. That is the kind of crippling attack that could make the impact of the Colonial Pipeline ransomware attack pale in comparison.
But here is the part that really makes this sad. We have been preaching cyber hygiene, cyber risk management, supply chain risk management, blah blah blah until we’ve been blue in the face but, in this case, these roughly 1,500 victim companies were not asking for it because they weren’t trying to do better — they were trying.
This was much like the SolarWinds situation because the companies recognized they needed professional help (at least to some degree) and thought they had done the right thing by hiring professional MSPs and that turned out to be their downfall. Going back several years to the Sony Pictures Entertainment “unique” and “unprecedented” attack we see time after time that there simply are no silver bullets and there is no such thing as “secure” in today’s cyber world. So, what are our companies to do? What are we to advise our clients?
Again, there is nothing easy about managing cyber risk. There are no easy answers. Period. If someone thinks they have suddenly found the magic silver bullet that will solve all of it, they probably don’t understand the competing issues well enough to even recognize their own ignorance. Could there be an exception to this? Sure, there could be, and it may already exist, but I’ve never seen it and people much smarter and better informed than me tell me they haven’t either.
But, for now, we can help this situation by striving to be as secure as reasonably possible and preparing to be resilient as well. This was my main premise in in an article for Ethical Boardroom following the FireEye / SolarWinds attack late last year, and I encourage you to read it and let me know your thoughts: A lesson in humility from the FireEye and SolarWinds cyber attack