One of the world’s largest ransomware attacks is currently ongoing, with thousands of organisations thought likely to have been impacted. In New Zealand the Ministry of Education indicated at least 11 schools have had their systems compromised including St Peter’s School in Cambridge.

Due to the scale and severity of the attack, US President Joe Biden has already ordered an immediate investigation. Initial indications point squarely at Russian ransomware gang REvil as culprits. The same group has been implicated in many other cyber incidents include the attack on meatpacking firm JBS who are reported to have paid a US$11m ransom.

It has been documented that the attackers have been requesting ransoms starting at over NZ$60,000 which must be paid in cryptocurrency. Such a payment

Attack Vector

The cyber attack started on Friday in the United States, just as the country was heading into a holiday weekend. It appears numerous IT providers globally running Kaseya VSA software had their systems compromised by cyber criminals. Once the cyber criminals have had control of an IT provider’s Kaseya systems, then they used this software to spread ransomware to their client’s computers. Once in place on client systems the malware began encrypting data and then started requesting ransom payments.

What to do if your organisation uses Kaseya VSA software

Kaseya advise shutting down your Kaseya VSA servers immediately until they provide more details. If your organisation has been compromised then all computers should be shut down.

Learnings

As founder at Gorilla Technology and Gorilla Cyber Security I spend a lot of time thinking about and researching cyber security. It’s important to recognise that any organisation can be hit anytime. Many people try and ignore the cyber risks and have their own reasoning why their company won’t be targeted, such as the small size of their firm. Unfortunately however, even an individual working from home may be hit by a cyber security incident – many of which are effectively random and indiscriminate.

With this attack falling hot on the heels of the Solarwinds hack all Managed Services Providers will be considering how they can ensure the remote management and monitoring tools they use are not utilised in a similar manner to these two attacks.

Here are some of my immediate cyber security tips for New Zealand organisations:

  • Ensure your backups are running reliably, that you regularly carry out disaster recovery drills and have a current incident response plan
  • Before purchasing and installing new software for your organisation ensure it is evaluated from a Cyber Security risk perspective
  • Step up your overall cyber security immediately – if you weren’t hit this weekend, the chances are that you will be on another occasion. Things to do include:
    • Ensure multi-factor authentication is in place and enforced across all systems
    • Patch and update software on an ongoing basis – and at least monthly
    • Use a password management tool to help ensure all your passwords are unique
    • Limit access to each area of your data only to those who really need it
    • Do not just accept standard configurations of IT systems – ensure they are configured to minimise cyber risk
    • If unsure of how secure your organisation is, invest in a cyber security audit