It was no coincidence that the criminals struck on Friday evening, just as their victims in the US were logging off and preparing to celebrate Independence Day weekend.
Everything about the attack on Miami-based Kaseya was designed to provide the criminals with the maximum return on investment, including the timing – on the eve of a national holiday – which would muffle the ability for responders to contain the attack’s impact.
More significantly, the attack was targeted at a software company which the attackers could use to gain access to the networks of even more victims, a so-called “supply chain” attack.
Kaseya provides a remote maintenance tool for managed service providers, and in compromising the on-premise installations of this tool, the attackers were able to encrypt the networks of 50-70 companies. Sky News understands this includes a very limited number in the UK.
Over the coming days, as these companies navigate the problems posed by the ransomware, they’ll be confronted by the efficiency of the organised, criminal business model driving these attacks will become apparent. Here’s how it works:
Multi-faceted extortion
In truth, these attacks are more than just ransomware, which describes a type of malware that attackers can deploy on a victim’s computer network to encrypt files. The attackers then extort the victim to pay huge sums of money, often in Bitcoin and sometimes worth millions of pounds, to have their files decrypted.
The criminals involved have developed a multi-faceted extortion model which involves stealing sensitive files and threatening to release them online if the victim recovers their files from unencrypted backups or refuses to pay.
If published, these files, which can relate to sensitive business deals or may include customer information, could damage the victim company’s reputation, impact their share price, or potentially even lead to a class-action lawsuit, all potential impacts stressed by the criminals as part of their extortion scheme.
The top of the pyramid
There is believed to be less than a dozen organised criminal groups driving this industry, each operating their own so-called Ransomware-as-a-Service platforms alongside their own websites for publishing victims’ files.
Mike McLellan, a threat intelligence expert at Secureworks, told Sky News that his firm was tracking more than 10 groups at the moment.
Those running these organised crime groups are rarely involved in the actual hacking themselves. Instead, they utilise an affiliate structure in which hackers can use their software for a percentage of the extortion proceeds.
Mr McLellan said that the groups appeared to have an Eastern European and Russian nexus, with affiliates instructed not to target victims within former Soviet countries.
An efficient business model has developed among these groups, which effectively outsource different aspects of the extortion scheme, from teams managing software development, customer engagement, and negotiations with victims, to the hackers themselves.
Those controlling the organisations even limit the number of targets their affiliates can actively extort at any one time to ensure that there isn’t too much of a workload to handle.
Affiliates
The organised crime groups are not simply responsible for developing this software, but also for recruiting and screening potential affiliates, trying to spot security researchers and Western law enforcement officers attempting to infiltrate them.
These affiliates often specialise in different aspects of the extortion. Some will be good at compromising targets through phishing, others at scanning, and they can often earn between 60% and 70% of the total money extorted from the victims.
As the ransomware-as-a-service industry is growing evermore lucrative, more traditionally resource-expensive forms of hacking, such as vulnerability discovery and exploit development, are becoming more common.
Kaseya’s on-premise maintenance tool is believed to have contained such a vulnerability which the attackers were able to exploit. The company is working to patch this tool and bring all of its systems back online.
Initial access brokers
At the bottom or edges of the criminal underground are the hackers who function as initial access brokers. These individuals, once they have compromised a network, will then sell that access directly to a criminal group or on a forum.
The money earned through by brokering this access can be quite low compared to the millions brought in by the extortion itself, but it can potentially involve far less exposure and effort for the individual.