The Difference Between an Attempted Attack and a Widespread Ransomware Attack: Employee Reporting


This year’s Kaseya attack, in which threat actors leveraged a zero-day vulnerability over the July 4th holiday weekend, demonstrates that ransomware is here to stay. Further, the reported $70 million ransom demand to end the attack shows us how lucrative ransomware remains for threat actors around the globe.

Author: Tonia Dudley, Strategic Advisor, Cofense
Author: Tonia Dudley, Strategic Advisor, Cofense

According to the company’s incident update, their R&D team was actively working on a patch for this reported vulnerability. We now know it had already been compromised, but they quickly initiated their incident response process quickly and made information available at a regular cadence to their customers and the public.

What stands out most about this particular attack is how far-reaching the impact was. Threat actors targeting a common software used by so many MSSPs makes this a much deeper attack. And given that many of Kaseya’s customers are reported to be small and medium-sized businesses, which are more likely to leverage MSSPs for security resources and protection they do not have as an SMB, this attack is particularly concerning.

While in this case the attack was propagated via a software vulnerability, the sweeping majority of ransomware cases begin with a malicious email bearing malware. Cofense has seen numerous such malware attacks in our Phishing Defense Center in the last couple of years; the most prevalent of which (recently) have been those bearing BazarBackdoor which led to Ryuk ransomware.

Conditioning employees to be aware of this threat, to be resilient, and to report any suspected phishing emails to their Security Operations teams is key. It will mean the difference between an organization experiencing an infection or two at worst, and a widespread ransomware attack.

Any cyberattack should be a wake-up call, but this particular event was directly targeting MSSPs, making it critical for MSSPs to examine their security controls and fully understand the risk they have and where they need to incorporate additional mitigating controls.

With 17 countries included in this recent attack, we need to think about what it means when cybercrime intersects with the physical borders of countries. Maybe it’s time to consider agreements between countries on how to handle the harboring of cybercriminals. We’ve seen coordinated take downs and arrests across borders – for example with TrickBot and EMOTET – and the approach should be the same with ransomware attacks.

The full incident response is still in play on this event. Post-incident follow up will allow organizations, as well as this software vendor, to fully understand how to enhance mitigating controls to monitor for an incident such as this attack.

Until then, any organization seeking phishing detection and response (PDR) capabilities should contact our team to learn more about Cofense Protect MSP, designed specifically for MSPs. Delivering instant phishing threat detection with Computer Vision technology paired with Cofense’s best in class training and simulation – helps your clients be more resilient to attack. Book a demo to see how you can provide advanced phishing protection to keep your clients safe from today’s most sophisticated phishing attacks.

Author Tonia Dudley is Strategic Advisor at Cofense. Read more Cofense guest blogs here. Regularly contributed guest blogs are part of MSSP Alert’s sponsorship program.