Cybercrime , Endpoint Security , Fraud Management & Cybercrime

The Ransomware Files, Bonus Ep. 1: REvil Is Foiled

A Dutch Company Recovered But Says Vendor Should Have Warned of Risks
The Ransomware Files, Bonus Ep. 1: REvil Is Foiled

If software has a dangerous and easy-to-exploit security vulnerability, should its maker tell customers to shut it down until it’s fixed?

It's a tough call, but one that Dutch company Hoppenbrouwers says the software vendor Kaseya should have undertaken last year to prevent a massive supply chain attack executed by the REvil ransomware gang (see: Kaseya Says Software Fully Patched After Ransomware Attack).

Hoppenbrouwers specializes in installing technical systems, such as climate control and video camera systems, in buildings. The company used Kaseya's Virtual Systems Administrator, which is remote monitoring and management software. REvil exploited zero-day vulnerabilities to plant a malicious software update in the VSA. Hoppenbrouwers was nearly completely infected.

Kaseya had known about the vulnerabilities for three months and had fixed some flaws but not all of the issues when REvil suddenly attacked.

Marcel de Boer is Hoppenbrouwers' financial director. He says Kaseya should have told its customers beforehand that the on-premises VSA software they were running was dangerously vulnerable. Hoppenbrouwers would have gladly shut down the VSA in advance to spare itself the stress of a ransomware attack, he says.

"We would have taken it down," de Boer says. "That is a problem with software. It is fixed before you know it. I think there is a lot happening that we don’t know. In this case, it was quite a big, big problem."

Despite the damage, Hoppenbrouwers was up and running in just a few days. Two months earlier, it had installed HPE's Nimble Storage, which helped restore upward of 150 servers in minutes. But de Boer says supply chain attacks are a risk to everyone.

"If you have a supplier who is critical to your company, and that supplier is hit by ransomware, then you also are in trouble," de Boer says.

"The Ransomware Files" is a podcast miniseries available on Spotify, Apple Podcasts, Google, Audible, Stitcher and more. I'm speaking with those who have navigated their way through a ransomware incident to learn how they fought back and what tips they can pass on to others. No ransomware infection is ever welcomed. But there's invaluable knowledge gained. There should be no shame in getting infected, and it's important to share the lessons.

If you enjoyed this episode of "The Ransomware Files," please follow it on a podcast platform and leave a review. Also, the show has a Twitter handle, @ransomwarefiles, that tweets news and happenings about ransomware.

If you would like to participate in this project and tell the information security community about your organization's brush with ransomware, please get in touch with me at jkirk@ismg.io or direct message me here on Twitter. I'm looking for other people, organizations and companies that can share their unique experiences for the benefit of all until ransomware, hopefully, is no longer a threat.

Credits

Speakers: Marcel de Boer, Financial Director, Hoppenbrouwers; Jeremy Kirk, Executive Editor, Information Security Media Group.

Production Coordinator: Rashmi Ramesh.

The Ransomware Files theme song by Chris Gilbert/© Ordinary Weirdos Records.

Music by Podcastmusic.com.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing govinfosecurity.com, you agree to our use of cookies.