This post is also available in: 日本語 (Japanese)
When the REvil ransomware gang attacked Kaseya VSA and many of its customers recently, Kaseya urgently advised clients to unplug from its platform. Organizations responded. Our Cortex Xpanse global Attack Surface Management platform detected a 96 percent drop in the number of vulnerable Kaseya servers visible to attackers over the internet – going from about 1,500 on July 2 to just 60 on July 8.
While that response to the attack likely prevented even more infections, it also pointed to an unfortunate reality. Sounding the alarm and shutting down access to critical software in a panic is not the best way to fight the growing ransomware epidemic. When organizations wait to react to ransomware until after it hits, disruptions are inevitable. The goal should be to prevent attacks and disruptions from happening in the first place, which means that the best time to prepare for ransomware is now, before you are attacked.
The REvil attack is just the latest indication that the global ransomware gangs are still growing vigorously in numbers and strength, becoming ever more audacious, and innovating themselves into increasingly spectacular and lucrative attacks. And why not? The returns on investment are spectacular and the risk of getting caught is almost nonexistent.
In this most recent incident, REvil showed us something new, a wholesale approach that infected some of Kaseya’s direct customers and then many of those customers’ own clients through a single attack on Kaseya itself. (In an update regarding the attack, Kaseya wrote that “fewer than 60” direct customers were affected and “fewer than 1,500 downstream businesses” were impacted.) Then REvil demanded a single, eye-popping ransom of $70 million (since reduced to $50 million) for a universal decryption key that will work for any and all of the victims.
Compare that to just six years ago, when the average ransom demand in our clients’ cases was about $10,000. Or to just last year, when the average ransom demand had climbed to about $850,000, according to the 2021 Unit 42 Ransomware Threat Report, and the largest payout for the year was under $5 million.
(If you think you may have been impacted by this or any other attack, please reach out to the Unit 42 Incident Response Team.)
You probably have a disaster recovery plan for fire, earthquake and other natural disasters. A ransomware attack can have similar impacts on a company's operations and should carry the same level of preparedness. You can start by asking yourself these questions:
- Think as if you were the attacker. Knowing your organization as you do, what would hurt you the most? Which data do you need to consider and protect?
- Do you have a written incident response plan and playbook for a ransomware event? Have there been changes to the people in your organization, new technology, etc.? When was the last time you tested and revised it?
- Have you run simulations and pen tests and validated your detection and response capabilities processes? Did you find any gaps between the plan and standard operating procedures?
- Do you have backups? Are backups of your most critical data offline and offsite? Have you tested restoration and confirmed your backups work as expected?
- And finally, do you have cyber insurance and an incident response retainer in place in the event of the worst case scenario?
The key is to think about the changes you would make after a ransomware attack and figure out how to make those changes before an attack actually takes place. You have the power to fight back, but it starts with being prepared.
Consider engaging a team of cybersecurity professionals to conduct a Ransomware Readiness Assessment that will help you determine how prepared you are for an attack, run tabletop exercises and identify any security gaps that need to be filled.