News has spread that Kaseya, which suffered a ransomware attack, received a Universal decryption key from a trusted third party. There is confirmation from relevant authorities that there was no payment for the ransom. But does that mean that all is well? Why isn’t the cybersecurity industry celebrating the victory over this massive ransomware attack? Especially since the attack was touted as one of the most innovative with widespread impact.
There is no denying the fact that the encrypted files are being decrypted without a payoff. Still, there was collateral damage. Investigations by the dark web forensics experts at Alliant Cybersecurity have found that some, if not all, of Kaseya VAS end customers are caught in the crossfire. Now this hacked data is on the dark web for purchase.
The data of these customers is available for sale on the dark web! So, it seems the attackers have got away with some loot. Saudi Aramco also faced a similar plight following their recent attack. Now, the data on the dark web is available for purchase.
For many years, ransomware attacks didn’t typically steal the encrypted data or make it public. The focus was on holding the data hostage. In recent attacks, cybercriminals are copying the files before encrypting the data and then threatening the companies to release sensitive information if they don’t get paid. And paying up never comes with a guarantee, as hackers often resell on the dark web even after getting paid to make that extra buck.
Why Should Businesses Worry about Data on the Dark Web?
Kaseya’s client data contains valuable insights, which makes it easily sold on the dark web. The data may also contain organization-specific information and sensitive information that might put them in a compromising situation. In many countries, these companies might at least be vicariously liable for non-GDPR compliance.
Who buys this data:
- Cybercriminals: Planning their next attack, targeting your organization.
- Fraudsters: Looking to take over identity to commit a social engineer scam or use credit card information to perform a fraudulent transaction.
- Competitors: Trying to steal customers/ideas or damage your company’s reputation.
As Always Prevention is Better than Cure
Cybersecurity Ventures predicted that a ransomware attack would occur every 11 seconds in 2021. We don’t hear of many of these attacks because most of them (about 70%) pay the attackers and get the data back. Recently, several federal bodies also stated that more than a quarter of ransomware attacks go unreported.
Cyber insurance providers are raising the bar for minimum security requirements as well. Companies with better cyber posture also get better deals and policies. They now insist that organizations have better cyber defense, prevention, and detection mechanisms before offering a better cover.
We have made the point that cybersecurity is a shared responsibility. Every player in your distribution chain should follow safe cyber practices and use tools to prevent, detect, mitigate, and contain a malware attack. Organizations with good and quick incident response plans and detection tools can react faster to contain the scope and spread of the attack.
Kaseya VSA ransomware and other supply chain attacks prove that one need not be a software product company to be a target. Even the smaller vendors, who are part of the supply chain, can either be attacked or used as a pawn.
As a reputed vendor, you do not want to be the cause of an attack on your customer and lose your reputation. The time has come to question vendors about their incident response plans and other security measures limiting the risk.
What Can you Do about data on the dark web?
Every organization should have specialist vendors who offer a combination of people, processes, and tools necessary to perform the network and endpoint threat monitoring and detection. Some of these include:
- Specialist MSSP (Manages Security Service Providers).
- SoC as a service (SoCaaS).
- Security Information and Event Management (SIEM) as a Service.
- Endpoint Detection and Response (EDR) and Manage Detect and Response (MDR) and User Behavior Analysis (UBA) management and administration services.
- Co-Managed SIEM/SOC services.
MDR and UBA Tools
MDR and EDR tools keep a close watch on the various parameters defined by the service provider called IoCs (Indicators of Compromise). Automated tools closely monitor these indicators to check the health of the cyberinfrastructure. A red flag is raised by tools when they see any irregularity in IoCs.
Take an example of a ransomware attack. Once the malware enters the system, it takes time to identify the system, network, backup files, and other parameters to communicate back to the host. The communications can be monitored using MDR tools to raise a red flag and limit the spread of the malware. Similarly, just before the encryption algorithm is launched, malware copies and sends terabytes(TBs) of data back to the attacker to create backup copies. UBA (User-Behavior Analysis) tool monitors this anomaly and can flag it to take steps to prevent the onslaught of an attack.
Get the Alliant Cybersecurity Advantage
Several MSP tools available in the market offer or are upgrading to offer a good defense, detect and response mechanisms. But it takes an expert and knowledgeable team to handle these tools to meet the organization’s unique requirements. Experience matter not only to understand these flags or indicators but to respond in time but also to strike the right balance between usability and strong defenses.
Alliant Cybersecurity team specializes in offering such professional consultation, especially for small and mid-sized businesses. Get the Alliant Advantage now.