The Difference Between an Attempted Attack and a Widespread Ransomware Attack is Employee Reporting
By Tonia Dudley, Strategic Advisor
The recent Kaseya attack, in which threat actors leveraged a zero-day vulnerability over the holiday weekend, demonstrates that ransomware is here to stay. Further, the reported $70 million ransom demand to end the attack shows us how lucrative ransomware remains for threat actors around the globe.
According to the company’s incident update, their R&D team was actively working on a patch for this reported vulnerability. We now know it had already been compromised, but they quickly initiated their incident response process quickly and made information available at a regular cadence to their customers and the public.
What stands out most to me about this particular attack is how far reaching the impact was. Threat actors targeting a common software used by so many MSSPs makes this a much deeper attack. And given that many of Kaseya’s customers are reported to be small and medium-sized businesses, which are more likely to leverage MSSPs for security resources and protection they do not have as an SMB, this attack is particularly concerning.
While in this case the attack was propagated via a software vulnerability, the sweeping majority of ransomware cases begin with a malicious email bearing malware. Cofense has seen numerous such malware attacks in our Phishing Defense Center in the last couple of years; the most prevalent of which (recently) have been those bearing BazarBackdoor which has led to Ryuk ransomware.
Conditioning employees to be aware of this threat, to be resilient, and to report any suspected phishing emails to their Security Operations teams is key. It will mean the difference between an organization experiencing an infection or two at worst, and a widespread ransomware attack.
Any cyber attack should be a wake-up call, but this particular event was directly targeting MSSPs, making it critical for MSSPs to examine their security controls and fully understand the risk they have and where they need to incorporate additional mitigating controls.
With 17 countries included in this recent attack, I am also left thinking about what it means when cybercrime intersects with the physical borders of countries. Maybe it’s time to consider agreements between countries on handling the harboring of cybercriminals. We’ve seen coordinated take downs and arrests across borders – for example with TrickBot and EMOTET – and the approach should be the same with ransomware attacks.
The full incident response is still in play on this event. Post-incident follow up will allow organizations, as well as this software vendor, to fully understand how to enhance mitigating controls to monitor for an incident such as this attack. Once the postmortem is complete, we’ll also be able to understand if the recent Executive Order SBOM will have an impact.
Until then, any organizations seeking phishing detection and response (PDR) capabilities should contact our team to learn more about Cofense’s PDR solutions and managed services. As demonstrated by recent events, ransomware isn’t going anywhere – but your employees can play a critical role in identifying potential threats to help keep your organization from becoming the next ransomware victim. Get real-world ransomware attack email examples here and learn how to protect yourself.