Over the July long weekend, Canadian, American, and other international businesses were victims of a far-reaching ransomware attack. The REvil group, a ransomware syndicate also known as Sodin or Sodinokibi, are believed to be behind the attack. This gang’s most prominent and recent attack targeted Kaseya, an IT management software service that operates within a supply chain system. It is believed that REvil is demanding a ransom equal to the Bitcoin equivalent of $70 million dollars to decrypt all the affected systems. This recent international cyberattack on Kaseya customers highlights how vulnerable end-customer businesses such as retail chains can be to these attacks because a service providers’ data breach trickles down throughout the supply chain.

The Attack and Ransom Demands

Kaseya has indicated that it was infected only with respect to “on-premise” servers. Cloud-based services were apparently not affected. Kaseya’s customers, such as Swedish retail grocery chain CO-OP, were significantly impacted to the point where over 800 CO-OP stores had to be temporarily closed. This was due to the fact that the retailer’s cash register software supplier was taken offline. These are examples of the downstream impact of cybersecurity incidents in the supply chain.

According to Kaseya’s public statements, approximately 50 of their clients were affected by the attack. The majority of Kaseya’s affected clients were managed service providers (MSPs) who provide IT services to their own customers. It appears that at least 1,500 organizations were victims of ransomware being deployed on their systems via a zero-day vulnerability in Kaseya’s system that was identified approximately 3 months before the attack occurred. Since 2015, a billing and customer support site had an untreated vulnerability, and Kaseya is currently analysing the 2015 vulnerability’s breach implications.

It is interesting to note, however, that some victims are apparently refusing to pay the ransom due to a lack of leverage the attackers were able to establish. Apparently, as devastating as the attacks are, data loss, access, and theft may have been less pervasive than in other and commonly seen “two-pronged attack” strategies of data encryption plus data exfiltration.

How can businesses protect themselves?

There are a number of precautions organizations can take. These include contractual safeguards, technical safeguards, as well as vendor due diligence. Businesses must also understand their contractual and legal obligations after a breach has impacted their data or operations.

At every stage of the supply chain, appropriate contractual provisions must require prompt notifications to customers of data security incidents. Businesses should also consider using cyber insurance as a risk management tool. Type of coverage and quantum should be tailored and considered carefully.

Having well-established and well-rehearsed incident response plans should be part of every organization’s playbook, as should appropriate backups and business continuity plans. Organizations may wish to include consideration of how to handle ransom demands and what the starting position is on making these payments to criminals (knowing that some incidents can be successfully remediated with less effort than others).

Another way to minimize risks is conducting due diligence when deciding which IT service providers to entrust with an organization’s data and operations. This includes looking deeper into the supply chain and knowing which sub-contractors or sub-processors are being used. Continuous monitoring and auditing are a key part of vendor supply chain management. Technologies and attack vectors change and so do organizations and their risk profiles.

An organization’s own network must be secure as well. Here, the technical interfaces with suppliers should be heavily scrutinized and assessed.

Lastly, businesses have legal and contractual responsibilities. Under the federal Personal Information Protection and Electronic Documents Act, for example, the organization “in control” must report to individuals or the federal regulator whenever an incident results in a personal data breach that carries a “real risk of significant harm.” This is often times the case in dual-extortion scenarios, but is certainly not always the case. There may also be contractual or reputational requirements to notify end-customers or other stakeholders, both internal and external, irrespective of whether personal information was accessed or taken.

Organizations potentially impacted by the Kaseya or similar supply chain breaches would be well-advised to understand all known and potential future impacts on their organizations in such cases and consider any resulting obligations as well as future remediation.

If you have any questions regarding your company’s existing cybersecurity policies or would like to develop solutions for mitigating and responding to cyber threats, including ransomware, please feel free to reach out to any member of Miller Thomson’s Cybersecurity team for specific advice.