The Kaseya Ransomware Attack: Peeling Back the Onion of Extortion

The Kaseya ransomware attack is a case-in-point of the ongoing, multi-layered damage that can occur when a single software company or service provider network is breached. Yes, Kaseya has obtained a universal decryptor key that will allow the return of data and operations to affected customers, but that does not signal an end to the potential fallout.

Extortion Is the Name of the Game

Let’s assume that all or at least part of the $50-to-$70-million ransom was paid in order to facilitate decryption. That is the first step in what can be multiple layers of extortion. The second layer, or double extortion, would be the threat of publishing data stolen as part of the cyberattack. This data can be from Kaseya, an MSP customer of Kaseya, or even a customer of the MSP.

REvil, the ransomware gang that conducted the 2 July attack, is known for this double extortion tactic. For example, in April 2021, operators of the REvil ransomware family claimed to have breached Taiwan-based Quanta Computer, a supplier for Apple. The attackers timed their initial disclosure of what they described as Apple intellectual property, such as Macbook schematics, to coincide with an Apple product launch in order to maximize the potential business and reputational impact of the disclosure. Quanta confirmed that it had experienced an incident but provided few details beyond its refusal to pay ransom. The attackers then pivoted to seeking payment from Apple itself, threatening to disclose more Apple intellectual property (i.e., double extortion).

In the nearly two years REvil operated their ransomware blog, they attacked about 300 companies and published stolen data — samples and full archives — for the majority of these. But before you say, “well that was REvil, but they’ve since taken down their infrastructure,” I wouldn’t be so sure. They can certainly re-launch their website or simply launch a new website under a new alias, as we’ve recently seen with the new ransomware blog HARON. (HARON is suspected to be the reincarnation of Avaddon, a ransomware group that supposedly shut down their operation last month.)

Alternatively, REvil could make use of a third-party reseller via a “data leaks black market.” These markets are essentially based upon — among other vectors — collaborations between attackers and sellers. In this scenario, the attackers themselves (i.e., REvil) aren’t directly offering the data for sale and are therefore not jeopardizing themselves to being exposed or even putting time into the trade work.


Learn more about the threats ransomware and leak sites pose to your organization and its customers, as well as how you can stay ahead of ransomware’s evolution. Read the IntSights white paper “The Evolving Ransomware Threat: What Business Leaders Should Know About Data Leakage.”

Stay up to Date!

Subscribe to the blog to stay up to date with all the latest industry news and updates from IntSights.