Backups Save the Day for Most Kaseya VSA Breach Victims

A story in BleepingComputer states that victims of the REvil ransomware attack on Kaseya VSA are refusing to pay the ransom. The reasons: Backups!

A common tactic for most ransomware criminals is to not just encrypt data, but also delete the backups and steal data.  This time, the criminals didn’t do that.  “In the Kaseya attack, they opted to try and impact EVERY Kaseya client by targeting the software vs direct ingress to an MSP’s network. By going for such a broad impact they appear to have sacrificed the step of encrypting / wiping backups at the MSP control level,” said Bill Siegel, CEO of ransomware negotiation firm Coveware. It seems that most of the victims and MSPs affect that had backups will be able to restore their networks without having to pay.

While there is obviously the downtime that comes from investigating the attack and waiting for a patch before restoring, it took 10 days for Kaseya to release the VSA On-premise patch, this is good news for those who had data backups.  When dealing with ransomware, here are 5 steps that can help you avoid a payout:

  1. Isolate and shutdown critical systems

This is the first thing you need to do, to ensure the ransomware infection doesn’t continue to spread throughout your network.  Shut down all mission-critical systems, and ensure to isolate the infected ones from the still “healthy systems” to contain the spread. The better you contain the spread of the infection, the easier it will be to recover from ransomware.

  1. Enact your business continuity plan

You do have a business continuity plan, right?  A business continuity plan and its disaster recovery component are essential to maintaining business operations. The business continuity is the playbook that helps all departments in your organization what their role is in ensuring the business operates during a disaster. During a disaster like a cyber attack, the continuity plan will address how to operate while systems are offline and being recovered.  The disaster recovery component details how the critical data and systems will be restored and brought back online. In addition, some companies have a separate breach readiness or incident response plan. This is a key component of the recovery process as it will help speed up the recovery time. 

  1. Report the cyber attack

Many companies opt to pay a ransom simply to keep the breach out of the news.  Nobody wants the bad press associated with a ransomware attack, but reporting the breach to customers, stakeholders, and law enforcement is essential. Failing to notify customers and stakeholders can lead to a lack of trust.  In many jurisdictions, it is now mandatory for organizations to report a breach within a certain period of time, otherwise hefty fines will be incurred.  GDPR and PIPEDA are just some of the regulations out there that require breaches, to be reported. 

  1. Remediate, patch, and monitor

This step is very important and cannot be skipped.  Businesses need to ensure that they have remediated the infection completely to ensure the ransomware infection still isn’t lurking on their systems.  All systems need to be patched for vulnerabilities and constantly monitored for any suspicious activity that could indicate a threat actor is still lurking on your systems waiting to strike again. Unlike lighting, ransomware can strike twice, especially is this step isn’t followed.

  1. Restore from backups

Now that you have removed the ransomware infection, you can begin the process of restoring your systems from backups.  Always ensure the backups haven’t been infected and are not corrupted prior to restoring. 

If you are struggling with a cyber attack, and don’t know where to start, these tips will help provide you with a direction.  You don’t have to do this alone either. Uzado can help you with the recovery process from a cyber attack.