billgates: @sampler @Dynamic @networkn @nztim @michaelmurfy can you please make contact on below email address as there is an MSP that is looking for help. Thanks! 

Yup did the same. Offered support from both our NZ and AU side of the company... They are interested in "boots on the ground" in VIC AU .. lets see if they take offer up.

nztim: So awesome to see all the MSPs helping each other out putting aside the fact we are competitors

You! Me! ... outside! .. now!

lol ...

Radio NZ - $100m ransom demand after companies hit by global cyber attack

breaking

The hackers alleged to be behind a mass ransomware attack that affected hundreds of companies worldwide are demanding $US70 million ($NZ100m) to liberate the data.

 

The demand was posted by REvil cybercrime gang on their blog.

 

Allan Liska, with cybersecurity firm Recorded Future, said the message appeared to be authentic and that the blog had been in use by that group since last year. ...

 

Liska said he believed the hackers had bitten off more than they could chew by scrambling the data of hundreds of companies at a time and that the $US70m demand was an effort to make the best of an awkward situation.

 

"For all of their big talk on their blog, I think this got way out of hand," he said.

 

- Reuters / RNZ

EDIT: This report does not clarify who is supposed to pay the ransom - presumably Kaseya.

Call me daft in this field. But what exactly will come of throwing lots of manpower offers out.

Is that to assist in isolating the services and getting a usable base service back up fresh ASAP (and worry about the lost stuff later). Or has someone already worked out how to un-do it, albeit time consuming manual work that bods help with

There's a cheaper than $5m example here

And the ransom note in each dir. With some shocking english.

https://blog.talosintelligence.com/2021/07/revil-ransomware-actors-attack-kaseya.html 

Sideface:

 

Radio NZ - $100m ransom demand after companies hit by global cyber attack

 

breaking

 

The hackers alleged to be behind a mass ransomware attack that affected hundreds of companies worldwide are demanding $US70 million ($NZ100m) to liberate the data.

 

The demand was posted by REvil cybercrime gang on their blog.

 

Allan Liska, with cybersecurity firm Recorded Future, said the message appeared to be authentic and that the blog had been in use by that group since last year. ...

 

Liska said he believed the hackers had bitten off more than they could chew by scrambling the data of hundreds of companies at a time and that the $US70m demand was an effort to make the best of an awkward situation.

 

"For all of their big talk on their blog, I think this got way out of hand," he said.

 

 

- Reuters / RNZ
EDIT: This report does not clarify who is supposed to pay the ransom - presumably Kaseya.

 

$70 million seems cheap if its proven that the hackers will work to provide all the master keys etc so Kaseya can create a tool to easily decrypt all clients.

The damage to their image is going to be massive and coming up with a solution thats quick for their customers might help them retain their customers.

There is of course the whole don't pay the ransom argument but it seems no matter how hard that is shouted hackers keep writing these tools and finding ways to encrypt data.

Its all very well to say "Backup" and that's your core data and that's fine - With these ones that worm the network and kill workstations left right and centre and all the cost of rebuilding workstations, the issues to users who can't cope with the subtle changes after a reinstall and all the little bits of lost data where someone had a work in progress saved to their PC or a plugged in USB drive etc.

It just seems to me Kaseya must have some sort of public liability insurance and assuming they can demonstrate to the insurer that they had done enough to attempt to stop this they surely the insurance can pay the money assuming there is a completely positive outcome in terms of ease of decryption of ALL customer data?

mobiusnz:

 

$70 million seems cheap if its proven that the hackers will work to provide all the master keys etc so Kaseya can create a tool to easily decrypt all clients.

 

The damage to their image is going to be massive and coming up with a solution thats quick for their customers might help them retain their customers.

 

There is of course the whole don't pay the ransom argument but it seems no matter how hard that is shouted hackers keep writing these tools and finding ways to encrypt data.

Its all very well to say "Backup" and that's your core data and that's fine - With these ones that worm the network and kill workstations left right and centre and all the cost of rebuilding workstations, the issues to users who can't cope with the subtle changes after a reinstall and all the little bits of lost data where someone had a work in progress saved to their PC or a plugged in USB drive etc.

It just seems to me Kaseya must have some sort of public liability insurance and assuming they can demonstrate to the insurer that they had done enough to attempt to stop this they surely the insurance can pay the money assuming there is a completely positive outcome in terms of ease of decryption of ALL customer data?

 

I saw somewhere that this may not be covered by Kaseya Insurance as it's potentially excluded by their contracts under the acts of war or terrorism clauses. I am unsure how true that is. I'd imagine even if they can wiggle out of it, the damage to their reputation would be massive.

In case anyone here is interested, and it's in a way, related:

https://www.gavsto.com/how-secure-is-your-rmm-and-what-can-you-do-to-better-secure-it/

Going through this checklist should be every IT companies top priority right now I think.

We have made the decision to remove RMM agents from our own infrastructure. Thankfully, in some ways, we are small enough, that managing ours manually, or ultimately perhaps with a different tool to the one we manage our clients with, is practical. Our thinking behind this decision is related to the fact that if the worst happens, we should hopefully, have our systems up to assist our clients instead of rebuilding our own before that.

networkn:

 

Going through this checklist should be every IT companies top priority right now I think.

 

"Area 1 – Keep your solutions updated"

Well, that's what brought in the malware in first place...

🙄

freitasm:

 

networkn:

 

Going through this checklist should be every IT companies top priority right now I think.

 

 

"Area 1 – Keep your solutions updated"

 

Well, that's what brought in the malware in first place...

 

🙄

 

I know, but at the end of the day, you can't protect every surface 100% and in far more cases, it will be the solution, rather than the problem.

In my opinion, if you don't stay updated you WILL be compromised, if you do, you MIGHT.

freitasm:

 

networkn:

 

Going through this checklist should be every IT companies top priority right now I think.

 

 

"Area 1 – Keep your solutions updated"

 

Well, that's what brought in the malware in first place...

 

🙄

 

That was my thought - Don't update until its been in market for a while - Even then though a hacker could seed a backdoor / command and control but leave it dormant for a period and then hit the go button once its out there on mass. 

I use Connectwise control currently hosted on my own server. I have very limited logins to it - 2FA enabled (Even on my fingerprint locked phone I force myself to not add it as a trusted device) and I'm paranoid about the fact that if someone compromises my Control server they then have access to a lot of client pc's. I'm more comfortable with it hosted on my system and the clients connect back to me rather than being a cloud system I have no control over.  There is still the chance that they introduce a bug with a backdoor too allow hackers to get in around 2FA etc but secondly I guess I have the partial "safety" that I'm not likely to be a direct target due to my size. But there is still always the chance that if a backdoor is found it can be scripted to search and infect automatically looking for any installs much like was done with Exchange servers compromises recently.

I do think Geo-blocking is a very valuable tool in this day and age.

Anyone with Netflix knows how to get around geo-blocking.

I think we are rapidly approaching the point where cutting the fibre to Russia is the most feasible solution. At the least it will prompt the local authorities to stop protecting (encouraging?) these guys.

Air-gapping your network from the threat is in an excellent layer of protection

tripper1000:

 

Anyone with Netflix knows how to get around geo-blocking.

 

I think we are rapidly approaching the point where cutting the fibre to Russia is the most feasible solution. At the least it will prompt the local authorities to stop protecting (encouraging?) these guys.

 

Air-gapping your network from the threat is in an excellent layer of protection

 

I'm down with the cause

#airgaprussia

mobiusnz: ... I do think Geo-blocking is a very valuable tool in this day and age.

And egress filtering

tripper1000: Anyone with Netflix knows how to get around geo-blocking. ...

Maybe at home, yes. In a corporate environment? Not so easy. Or do you use management agents like Kaseya at home?