IT pros warn that the full extent of the damage caused by the latest major ransomware attack is yet to emerge.
US-based Kaseya, which provides IT management software for managed service providers and small and medium-sized businesses, had its VSA software infiltrated with ransomware over the weekend.
Hundreds of organizations around the world are affected, with at least one 11 schools also involved in New Zealand.
In a statement, a spokesman for the education ministry said it was working to see if other education providers were affected.
“We recommend any school that thinks they may have installed Kaseya VSA software first to contact their IT provider and take the recommended actions as recommended by CERT NZ.”
St. Peter’s School in Cambridge said yesterday it was one of the exposed but it has since stabilized its system and is working on restoring data.
“As a result, all school systems are inactive and will remain so for at least the next 48 hours,” said the school in a Facebook post.
Cybersecurity Guard CERT NZ asked all users of the software to shut it down for the time being.
Datacom, one of New Zealand’s largest IT service companies, announced yesterday that it had shut down its servers using Kaseya software following the attack.
A company spokesman said it had taken the software out of service before yesterday’s attack.
Paul Brislen, strategic communications manager, said Morning report Kaseya helped automate patches and updates that security and IT companies send out.
“One of their servers was compromised and spread this ransomware attack to the entire customer base. When people wake up and turn on their computers and they seem to get an email from Kaseya, they click the link and there we are.” infected again. “
He said there are a limited number of their servers using this software.
Those affected have their information encrypted and are usually asked for money to get it back. However, CERT NZ strongly advises against paying as the perpetrators often ask for more money or blackmail people with the information they receive.
Brislen said the attack was similar to the recent one at the Waikato District Health Department.
“Your files are locked, they can be copied so they can blackmail you later and say, ‘Well, you still haven’t paid, we’re going to start putting the information out in the public space”.
“It’s a money-making trick that seems to have taken over the cybersecurity world.
“Of course, if you want to restore servers quickly, the secret here is that you need to have a robust backup program so you can just flip it and turn it on instead of worrying about the things that are locked down.”
US authorities suspect that Russia-based cybercriminal REvil could be behind the attack. Brislen said that might be the case.
“They could very well be from Russia. The only evidence where this gang comes from is that they use Russian to communicate with each other and with authorities.”
“It’s a very difficult attack to defend” – IT security advisor
Brislen, CERT NZ, and IT security advisor Daniel Ayers say it’s too early to say how far the impact of the attack will be, considering most companies will be over the weekend and the timing of the 4 th celebration. July would not work.
Ayers told Morning report International cyber security company Eset has discovered instances of the ransomware in New Zealand and that some of them will be the schools affected, but it was not yet known whether that was all.
“The latest information I’ve seen is estimates of 30 affected IT vendors worldwide and more than 1000 of their customers encrypted.”
CERT NZ Incident Response Manager Nadia Yousef said, “It started unfolding late Friday night and I suspect that if more organizations go to work this morning and turn on their machines to find out if things are okay, then there is a chance that we can see more impact.
“It’s been a big year for ransomware, and what we’ve seen is that there are so many different ways that attackers can break into and track down people’s systems.”
Yousef told Morning report They encouraged organizations to move forward in implementing prevention steps and also have a plan of what to do if at some point they are affected.
“It’s not always easy, and there is no panacea, but having good long and strong unique passwords for all of your accounts and using multi-factor authentication and updating your application with new software.”
Datacom spokesman Paul Brislen said ransomware attacks were becoming more common and that viruses or hacking methods were “easy changes” for attackers.
“Because of the speed and sophistication of these attacks, they become more and more destructive over time.”
IT security advisor Daniel Ayers said Morning report A supply chain attack is usually aimed at someone further up the supply chain whom others have trusted.
“When companies are hit by ransomware, it generally indicates poor security in the organization.
“That is different. Here the organizations concerned have used IT management software, which is good practice – the bad security does not lie with the IT companies that run their IT, but rather higher up in the supply chain at the end of the creator of the “Software.
“So it’s a very difficult attack to defend against.”
He said this was “a very serious incident for Kaseya”.
“In my opinion, it has the potential to potentially destroy the company.
“It’s like a thousand Waikato DHBs again.”
He advised companies to use many different layers of protection so that a ransomware attack could at least mitigate the effects if it couldn’t be stopped.
#Kaseya #VSA #ransomware #extent #impact #experts