As my colleagues and clients in the US enjoyed their extended July 4th break last weekend, news of Kaseya — a new ransomware attack — started to circulate across the news wires. Criminals seem to have waited for a strategically suitable time to launch their attack and chose an extended holiday weekend during which many IT departments would be reduced to skeleton crews and caught unprepared for the events that were to unfold.
Ransomware is nothing new and as the ransomware trend has shifted from consumer to business over the past few years, IT departments supporting those businesses are constantly bracing themselves for the worst to happen.
However, the Kaseya attack represents a novel attack distribution method that we will see again. Leveraging multiple single points of failure (SPoFs) to spread malicious code has now proven to be a successful attack strategy. We should expect to see more “double-embedded” SPoF attacks that use both software supply chains as well as service providers to achieve criminal aims. Identifying the most privileged links in your insureds’ software supply chains is now paramount.
A sophisticated ransomware attack
Once again, we saw a new level of attack sophistication here. This time, not so much in terms of the code tradecraft involved, but rather due to the distribution method employed in this attack — although, the discovery of “zero-day” vulnerabilities in common SPoFs is becoming a worrying trend in itself.
Previously, we’ve seen unknown vulnerabilities exploited in Kaseya IT Management Software. However, this time, these vulnerabilities were leveraged not within the software provider themselves (Kaseya itself was not breached), nor within the systems deployed at the ultimate targets or the criminal. Instead, Managed Service Providers (MSPs), each providing remote IT monitoring and support to hundreds of end-user organisations, were used as a distribution mechanism for the ransomware.
Rather than targeting the MSPs for ransoms (as far as we can tell no ransoms have been demanded of the breached service providers), the criminals have cleverly distributed their attack through the MSPs and are demanding ransoms between $25,000 and $45,000 of the businesses that the MSPs serve. Targets currently stand at around 1,500 businesses worldwide and more than one million systems, according to the REvil criminal group who have claimed responsibility for the attack. To put it into perspective, the WannaCry outbreak of 2017 affected around 230,000 systems globally.
How will this affect (re)insurers?
We should expect ransomware to continue to evolve both in its methods of infiltration, its data capture and its distribution strategies. Attackers such as the REvil group now consist of many stakeholders, operating in many cases as cartels and leveraging “best of breed” skill sets that, when brought together, represent a formidable foe.
Insurers should not underestimate the cybercriminal sensitivity to political and social dynamics as they plan their attacks. It was also certainly not a coincidence that this attack occurred just prior to a US holiday weekend. Equally, links between the timing of this attack and recent interactions between heads of state are probably not coincidental.
All of this also highlights the need for (re)insurers to seriously consider how they analyse the digital and service supply chains that their clients rely on. Recent hacks on SolarWinds, Microsoft and others have shown us the criminals are heavily invested in the idea that targeting common SPoFs can reap huge rewards, whether that reward is financial, intellectual or political. This most recent event shows us that SPoFs can include the service partners that our business uses to manage the systems on which their companies rely so heavily.
How risk modeling can predict future ransomware attacks
These kinds of attacks will only increase in frequency and severity, so (re)insurers must be prepared for the unavoidable. Knowing what to prepare for will be key to limiting the effects of future cyber attacks, especially ones that impact the supply chain. This is where accurate cyber risk modeling comes in.
CyberCube has spent the past two years developing data partnerships and sophisticated software techniques that can help insurers better understand a client’s cyber risk exposure and dependencies on common SPoFs. We believe that this type of functionality (we call it “SPoF Intelligence”) is going to be critical as insurers strive to better understand their risk postures as the threat landscape evolves.
Learn more in our free report about supply chain cyber risk and SPoFs — Building Blocks of a Catastrophe Scenario.