3 security lessons learned from the Kaseya ransomware attack

Ransomware attacks targeting the supply chain are increasing in frequency, along with the cost of ransom payments. In the first half of 2021, the average ransomware payment totaled $512,000, a 171% increase from $312,000 in 2020. More so, the amount these attackers request has also increased, with the average ransomware demand in 2021 being $5.3 million, up 518% from the 2020 average of $847,000.

One security incident in particular, the Kaseya ransomware attack, brought attention to a new wave of ransomware attacks specifically targeting managed service providers (MSPs), which often serve as the security lifeline for small to medium-sized businesses. These attacks give cybercriminals access to the MSP provider, the organizations it serves, and many of the organizations’ customer networks as well — creating a ripple effect of digital havoc. These attacks are also much harder to prevent, since they often exploit employees at the company who think they’re performing everyday tasks like logging in to email. This issue has become more prevalent, especially with the shift to hybrid work. As more and more devices are connected to the cloud, the harder it is to safeguard those endpoints from attackers.

Let’s explore how organizations can better prepare themselves and their customers for these attacks in the future, and some of the strategies to identify the threats before they become a widespread issue.

Trust No One: Zero Trust as a Prevention Mechanism
With the Kaseya attack, the REvil ransomware group was able to bypass authentication by simply sending a note password, granting them a session cookie that allowed them to have a low key where they could upload files onto the Kaseya VSA server. This was a fairly simple exploit that could have been avoided if there had been more stringent behavior detection practices in place, which can be achieved through zero trust.

The fundamental principle behind zero trust is that any entity trying to connect to an enterprise resource should be validated for compliance against a set of predetermined attributes before it can connect and stay connected to that resource. In effect, its premise is to consider anybody and anything operating inside or outside the enterprise network as hostile.

To read the complete article, visit Dark Reading.