In July, an attack on a US-based software provider Kaseya by the notorious Russia-based ransomware gang, REvil, affected more than 1,500 global organizations and caused millions of dollars in losses.
It took 19 days for the company to get its hands on a ransomware decryptor and distribute it to hundreds of clients affected by the ransomware attack.
A new WashingtonPost report sheds more light on the attack, including the fact that the FBI had managed to get the decryption key three weeks before Kaseya’s decryptor. The FBI managed to gain access to the servers of the REvil ransomware gang behind the Kaseya attack and gained control of the ransomware decryptors. However, the ransomware decryptors were not released to the public, disrupting thousands of businesses and healthcare providers for almost three weeks and millions in losses.
What withholding of ransomware key means for veterinary practices
The Kaseya attack resulted from hackers exploiting a vulnerability in a remote computer management tool called Kaseya VSA to deploy ransomware and had a big impact because Kaseya is a managed service provider. This meant that the ransomware attack affected companies directly, through Kaseya software, and indirectly, through businesses supported by companies running Kaseya software.
According to the FBI, the decryption keys were withheld for two reasons: first, because the law enforcement agency was trying to bring down the ransomware group and did not want to tip them off, and secondly, because they were working with other agencies on the case, hence they could make a unilateral decision to release the decryption.
Although Kaseya did not negotiate with the REvil ransomware group for payments, the case highlighted the complexities of supply-chain ransomware attacks. Veterinary practices that were using Kaseya or getting their IT services from companies using the Kaseya software had little control over what they could do to get a decryption key.
The only practices that were not severely affected by the Kaseya ransomware attack were those that had business continuity built into their backups.
FBI ransomware investigations
The planned takedown of the REvil ransomware group never materialized. On July 13th, the REvil ransomware group’s online presence was erased.
According to current and former FBI officials, the group’s platform going offline disrupted their ability to execute its plan to get people behind the ransomware group. The group had previously carried out high-profile attacks against JBS, where they were paid over $11 million.
Protection against REvil ransomware attacks
The REvil ransomware group reappeared earlier this month, indicating that it had already attacked eight new victims, including a legal aid service for the poor and a plastic manufacturing company.
Past ransomware attacks by the group indicate they demand ransoms ranging from $45,000 to $5 million, with the highest ever request coming in July, when they demanded $71 million from Kaseya. The group has also targeted small and medium-sized organizations, including the latest attack on a legal aid service for the poor, which already runs on limited funds.
Veterinary practices using Kaseya had little they could have done differently to avoid the ransomware attack. The attack originated from third-party software critical to their day to running of practices; hence they had no control over the security measures their managed service providers had put in place to protect them. This is because the Kaseya ransomware attack was a supply-chain attack that required no intervention from their victims.
To protect your veterinary practice from future supply-chain ransomware attacks, you will need to have a data backup and business continuity. This will help you mitigate the impact of a supply-chain REvil ransomware attack.
You should also have an anti-malware program installed on your system to detect ransomware attacks that are directly targeted at your practice. Training your staff on how to recognize ransomware threats such as phishing attempts, social engineering from hackers, malicious websites and policies such as two-factor authentication for all your staff will also help protect you from future ransomware attacks from the REvil group.
In case your systems have already been compromised, you should consider consulting a cybersecurity expert to assess the damage. Engaging with ransomware gangs and paying them can lead to legal troubles and increase your chances of future ransomware attacks.
Lucca can help you stay protected from REvil
Want to know how Lucca has built security plans for other hospitals to make sure they can withstand a ransomware attack and see how it will work for you? Schedule a free no obligations call now to learn how you can be protected!