To Pay or Not to Pay? The Kaseya Malware Hack Revisited.

Hamlet Circa 2021

If Hamlet were an IT Manager or CTO in 2021, there’s a 37% chance that his company would have had a serious cyber incident, whether from ransomware or phishing. He would bemoan the fate of his network, the company’s business, and maybe its customer data. And of course, he’d be faced with a huge question: “to pay, or not to pay.”

According to the anti-virus company Kaspersky, more than half (56%) of ransomware victims paid the ransom to recover their data. But for 17% of the victims, paying the ransom did not guarantee the return of the stolen data. Kaspersky recommends that ransomware victims do not pay the ransom as this only encourages cybercriminals to continue their nefarious work.

 

Why Organizations Still Pay Ransom

Many ransomware victims or their insurance companies still pay the ransom despite the cybersecurity companies and law enforcement recommendations. For the victims, paying the ransom is often the quickest—and cheapest—solution. 

The May 2019 ransomware attack on the City of Baltimore, Maryland, is a case in point. At the advice of the FBI, the city did not pay the 13 Bitcoin ransom (about $100,000). However, the non-payment cost the city nearly $18 million in cleanup costs and lost revenues—or almost 180 times more.

But as the size of the ransoms grows, the cost parity is disappearing. As a result, cyber insurance coverage for ransom payments may be ending. AXA, one of Europe’s biggest insurers, announced that it would no longer cover ransom payments in its cyber insurance policies at the request of the French justice and cybersecurity officials.

 

Decrypting the Mystery at Kaseya

While the supply chain ransomware attack on Kaseya and the $70 million ransom was a huge topic of discussion even outside of IT circles, some recent news regarding the ransomware attack has surprisingly received less attention to date. 

On July 22, 2021, Kaseya announced it had obtained a REvil ransomware decryptor “from a third party.” The company reports that the decryption tool is “100% effective” at decrypting files that were encrypted during the attack. Some have speculated that the company paid the ransom directly or through a third party, but Kaseya has vociferously denied this: 

“While each company must make its own decision on whether to pay the ransom, Kaseya decided after consultation with experts to not negotiate with the criminals who perpetrated this attack and we have not wavered from that commitment. As such, we are confirming in no uncertain terms that Kaseya did not pay a ransom – either directly or indirectly through a third party – to obtain the decryptor.”

So how did Kaseya get the decryptor? It’s possible that they received it from the US government, the Russian government, or someone in the REvil group who caved in to pressure from Putin. Or maybe one of Kaseya’s partners paid the ransom. It’s unlikely we’ll ever know. 

Phishing Strikes Close to Home

There are approximately three billion phishing emails each day. The odds are that you have recently received some or have some in your email spam folder right now. Fortunately, a good IT Manager will keep your office’s systems up to date. More importantly, you should know how to look for the signs of a phishing attempt, such as an unusual or misspelled email address. For example, in the email below, the sender was pinterest *at* suporrt.com.  (Yes, that’s “support” with one “p” and two “r”s.

This particular email especially devious because it gives you links to reset your password or to enable two-factor authentication. In other words, doing the “right thing” is actually doing the wrong thing. Clicking on these links could install spyware, ransomware, or even lead to a hack of your company’s on-premises and cloud-based networking resources.

The Need for a Unified Cybersecurity Approach

The wave of attacks against high tech companies, municipalities, fashion retailers, and more prove that all organizations need to adopt a unified cybersecurity and networking approach such as the Secure Access Service Edge (SASE).  One of its core features is a Secure Web Gateway (SWG) with URL filtering that can block suspicious links and prevent employees from opening them. Another feature, Device Posture Check (DPC), enhances network security by ensuring that employees can only connect to network resources using devices that comply with a company’s security policies. This prevents malicious access and cyberattacks by automatically denying access to insecure or unknown devices at login. Even if they are using valid credentials, yet lacking a specific hidden file, the device can be identified as using stolen credentials and denied access to networking resources.