Cybersecurity

Kaseya ransomware attack highlights cyber vulnerabilities of small businesses

The recent ransomware attack on software group Kaseya hit small businesses especially hard, targeting companies that often have few resources to defend themselves and highlighting long-standing vulnerabilities.

The attack has been made worse during the pandemic when cyber threats against small businesses have multiplied, and companies have scrambled to stay afloat. 

“When large businesses aren’t doing the basics it’s negligence,” Kiersten Todt, managing director of the Cyber Readiness Institute, told The Hill. 

“When small businesses aren’t doing the basics, it’s often because they don’t have the resources, or the knowledge, or the education,” Todt added. 

The concerns around small businesses have been laid bare in the past week following the attack on Kaseya, which impacted up to 1,500 businesses using services of Kaseya customers. 

The attack was attributed by cybersecurity experts to the Russian-linked group REvil. 

“Many of Kaseya’s customers are managed service providers, using Kaseya’s technology to manage IT infrastructure for local and small businesses with less than 30 employees, such as dentists’ offices, small accounting offices and local restaurants,” Kaseya said in a statement on the attack last week. 

The hacking group initially demanded the equivalent of $70 million in Bitcoin to provide the companies with a universal decryption tool for their networks, but later lowered this price to $50 million, with individual companies given the ability to negotiate for a much lower amount. 

Charles Carmakal, senior vice president at FireEye’s Mandiant consulting division, told The Hill that the hackers were likely “frustrated” with the attack, adding that it was “not financially successful” given the amount of small businesses less vital to day-to-day national operations that were hit.

The attack came at the end of a brutal year for small businesses, many of which shut their physical doors during the pandemic for periods of time and moved business online. This made the companies, often understaffed and underprepared in terms of cybersecurity, a tempting target for hackers looking to make money by attacking vulnerable organizations. 

“Malicious actors certainly realized that with everyone being online, the opportunity to social engineer had increased exponentially, and so you saw across the board the compromises and vulnerabilities that were exposed,” Todt said. 

Spencer Ferguson, the CEO of Utah-based managed service provider Wasatch I.T., told The Hill that his company’s workload “doubled during the pandemic as we helped our customers shift to work from home environments.”

Ransomware attacks have been a particular concern for companies of all sizes, in particular over the past year, with hospitals, schools and government organizations attacked and forced to either pay the ransom, or spend long periods of time and even more money recovering. 

While the federal government recommends not paying a ransom, many companies make the decision to do so because there is an increased financial risk if it is not paid. 

“You are really looking into some prolonged outages from business, and that’s when things can get very costly, or the cost is so significant that organizations might go out of business, so we are seeing a range of responses,” Vince Voci, the vice president of cyber policy at the U.S. Chamber of Commerce, told The Hill. 

The Biden administration has taken notice of threats to U.S. businesses in the wake of both the Kaseya ransomware attack and previous ransomware attacks in May on Colonial Pipeline and JBS USA.

White House press secretary Jen Psaki told reporters last week following the Kaseya attack that the incident “underscores the need for companies and government agencies, as well, to focus on improving cybersecurity.”

Congress has also taken notice of the need to shore up security for small businesses. 

Last month, Sens. Marco Rubio (R-Fla.), Chris Coons (D-Del.), John Kennedy (R-La.) and Raphael Warnock (D-Ga.) reintroduced legislation to help protect small businesses from cyberattacks, specifically by requiring credit bureaus to be more transparent with smaller organizations about data breaches. 

Rubio on Friday underscored his concerns around foreign hackers targeting small businesses. 

“No business is safe from hackers, especially hackers with the support of governments in Russia, China, Iran and elsewhere,” Rubio said in a statement provided to The Hill. “Small businesses are especially vulnerable. The Biden Administration needs to make clear to criminal organizations and those who harbor them that these attacks are unacceptable and will be met with consequences.”

Todt stressed the need for the federal government to work with the private sector to secure small businesses. 

“Government and industry have to work together to prioritize the cybersecurity of small businesses, and this is achieved through education, training, and the sharing of practical best practices and resources,” Todt stressed.

“The good news is this is attainable, we just have to make it a priority,” she said.