Kaseya ransomware suspect nabbed in Poland, $6m seized from absent colleague

The name “Kaseya” has become one of the biggest words in ransomware infamy.

Cybercriminals penetrated the IT management business Kaseya earlier this year and used the company’s own remote management tools to wreak simultaneous ransomware havoc across its customer base.

Unfortunately for the many victims of the attack, Kaseya’s software required customers to designate a specific area on their hard disks as exempt from anti-malware scanning.

The reason, we’re guessing, is that someone decided that a staging directory for collecting and distributing software updates, where application files would be temporarily stored as data but not executed as programs, didn’t need to be protected as strongly as the rest of the computer.

After all, why scan the files over and over again while they’re merely being downloaded, shuffled, organised and packaged for delivery, instead of waiting to do a final scan only of those files that ultimately get used?

The problem with anti-malware “exclusion zones” of this sort, however, is that they become a perfect hiding place for well-informed crooks, because rogue code that’s secretly injected into the unprotected area can be launched without generating any of the the usual alarms.

Full article