Is REvil’s Latest Exploit Against Kaseya One of the Biggest Ransomware Attacks Ever?

The REvil ransomware gang last week targeted Miami-FL-based IT services provider Kaseya. At the outset of the attack, REvil demanded $70 million in ransom, the highest ever, but has since reduced it to $50 million. The Russia-based malicious outfit is also seeking ransom payments from thousands of affected customer organizations and MSPs.

Networking and IT infra software provider Kaseya was recently victimized in a ransomware attack by the REvil ransomware gang. According to the Dutch Institute for Vulnerability Disclosure (DIVD), the attack took place just as the United States was heading into the 4th of July weekend celebrations.

The REvil ransomware gang, also known as Sodinokibi, exploited a zero-day vulnerability to gain entry into the target network and encrypt systems. The company issued a security advisory and apprised its more than 36,000 customers as soon as the infection was discovered, as well as instigated precautionary moves by shutting down its SaaS servers despite the attack chain affecting only on-premise implementations.

But it appears threat actors from REvil managed to inflict enough damage through the attack to command a more than hefty, not to mention the highest ever sum of $70 million as the ransom to decrypt systems. The next biggest ransom demands also came in 2021 when Acer and Apple’s Taiwanese vendor Quanta were demanded $50 million each in two separate ransomware attacks.

The REvil gang posted the following note on its leak site:

Kaseya’s VSA endpoint management and network monitoring tool enables Managed Service Providers (MSPs) to carry out software deployment, patch management, antivirus and antimalware deployment, routine maintenance, etc. This makes the attack a software supply chain one against not only Kaseya but also against thousands of organizations leveraging VSA.

See Also: 5 Reasons Why Your Business Should Have a Ransomware Plan in 2021

Background of the Kaseya Ransomware Attack

Unlike the SolarWinds incident from 2020, which was also a software supply chain attack, the maliciousness associated with this Kaseya incident relates more to usual ransomware operations for money, based on what’s known so far.

In contrast, SolarWinds was a huge cyber-espionage campaign originating from the US’s all-weather adversary Russia by a well-known advanced persistent threat (APT) group APT 29 (Cozy Bear). APT29 carefully laid low for the duration of the attack, stealthily conducting reconnaissance and active operations.

REvil, on the other hand, exploited a zero-day vulnerability existing in Kaseya VSA. What’s peculiar is that this particular vulnerability, tracked CVE-2021-30116Opens a new window , was already reported by DIVD to Kaseya and was being fixed. Kaseya had developed partial patches and was collaborating with DIVD to fix the security gap.

CVE-2021-30116 is one of the several vulnerabilities that DIVD reported to Kaseya for which the company was validating a patch. Details of CVE-2021-30116, along with the other flaws remain under wraps as of now for obvious reasons.

“It is time to be a bit more clear on our role in this incident. First things first, yes, Wietse Boonstra, a DIVD researcher, has previously identified a number of zero-day vulnerabilities [CVE-2021-30116] which are currently being used in ransomware attacks,” DIVD saidOpens a new window . “And yes, we have reported these vulnerabilities to Kaseya under responsible disclosure guidelines (aka coordinated vulnerability disclosure).”

The Netherlands-based institute added, “Unfortunately, we were beaten by REvil in the final sprint, as they could exploit the vulnerabilities before customers could even patch.”

Threat detection and response company Huntress Labs believes one of the vulnerabilities bypasses security authentication. “We have high confidence that the threat actor used an authentication bypass in the web interface of Kaseya VSA to gain an authenticated session, upload the original payload, and then execute commands via SQL injection,” saidOpens a new window John HammondOpens a new window , a senior security researcher at Huntress Labs.

The Attack

Like other REvil attacks, the attack on Kaseya and by extension on its customers is possibly carried out by its affiliates. REvil operates a ransomware-as-a-serviceOpens a new window model wherein the developers of the REvil strain get a cut of the ransom earned from attacks propagated by affiliates. REvil is also among one of the most active ransomware syndicates out there along with RagnarLocker, DoppelPaymer, Nefilim, Darkside, and others.

Further analysis by Huntress Labs revealed that while SQL injection-driven authentication bypass was how the threat actors managed to gain a foothold in the target network, it is not the only one. Thus, the attack vector also involves other injection attacks and are unknown as of now.

Huntress also discovered GET and POST requests from an AWS IP address 18[.]223.199.234, leading them to believe that the attack could have been launched from a legitimate (but now compromised) AWS web server. GET request is an HTTPS method for viewing data from a specific source on the web without changing it, while POST is used for changing something from the source.

TrueSec’s analysis of the incidentOpens a new window led them to conclude that the possibility of the three vulnerabilities that were exploited by the REvil attackers to be authentication bypass, arbitrary file upload, and finally code injection.

As such, threat actors are suspected to have deployed a malicious dropper via the PowerShell script executed via a malicious exe agent. The script encrypts files on the victim’s computer by disabling the in-built Windows Defender security software. This ransomware binary (mpsvc.dll) is delivered in the form of a fake software update through VSA.

agent.exe (dropper): d55f983c994caa160ec63a59f6b4250fe67fb3e8c43a388aec60a4a6978e9f1e
mpsvc.dll: 8dd620d9aeb35960bb766458c8890ede987c33d239cf730f93fe49d90ae759dd

— Mark Loman @🏡 (@markloman) July 2, 2021Opens a new window

Needless to say, the files encrypted by the REvil strain, which uses the Salsa20 symmetric stream algorithmOpens a new window , cannot be decrypted without appropriate keys, currently in the hands of the REvil gang.

REvil was responsible for nearly one in three (29%) ransomware attacks in 2020.

See Also: Winning the War Against Ransomware: Is Legislation Enough?

Indicators of Compromise

Kaspersky provided the indicators of compromise (IoC) of this specific attack chain, which are listed below:

• agent.cer (encrypted agent.exe)

     95F0A946CD6881DD5953E6DB4DFB0CB9Opens a new window

• agent.exe

     561CFFBABA71A6E8CC1CDCEDA990EAD4Opens a new window

• mpscv.dll, REvil ransomware

     7EA501911850A077CF0F9FE6A7518859Opens a new window

     A47CF00AEDF769D60D58BFE00C0B5421Opens a new window

The proof of concept for the exploit is currently unavailable.

Impact of Kaseya Ransomware Attack

Considering REvil targeted the entire software supply chain consisting of over 36,000 customers, and thousands of downstream MSPs, it is still early to extrapolate the total impact area. The REvil gang states they’ve infected one million computers but it remains to be seen whether this claim is true.

Kaspersky noted that the impact is already felt in 22 countries, with 5,000 attack attempts. Particularly, data of 11 schools (at the least) in New ZealandOpens a new window was encrypted.

In Sweden, supermarket chain Coop needed to shut down almost 500 storesOpens a new window because its PoS and self-service checkouts stopped working. Coop itself is not a Kaseya customer but one of its software providers is, which is a tad disconcerting because it sheds light on the enormous ramifications of this ransomware attack.

Another Swedish chain, Apotek Hjärtat, which is also not a Kaseya customer was left hangingOpens a new window since they weren’t able to accept payments. Sweden’s government-owned rail operator SJ, EU-based Extenda Retail, and three German IT providers are also in the same boat.

And it seems the ransom demand is negotiable. Before the REvil gang put out the $70 million ransom demand for a universal decryptor, the group sought $5 million from large organizations, $500,000 from smaller companies, and $45,000 from smaller firms for specific decryptors for certain extensions.

If your endpoint is hit, the initial ransom demand is 44,999 USD. pic.twitter.com/gSWbxYJbeXOpens a new window

— Mark Loman @🏡 (@markloman) July 2, 2021Opens a new window

But it looks like the threat actors have lowered the $70 million ransom and are now demanding $50 million, according to a tweet by Jack CableOpens a new window , security architect at Krebs Stamos.

They also now allow victims to pay in Bitcoin in addition to Monero, which may be another sign that they’re having trouble getting people to pay. Has the side effect of making it easier to track.

— Jack Cable (@jackhcable) July 5, 2021Opens a new window

The thing about ransomware is that while the ransom may set organizations back by millions, it can also incur huge monetary as well as non-monetary losses owing to the system downtime. Kaseya VSA services, both SaaS and on-premise, have now been down since Friday evening with no clear timeline for a fix in sight.

In its latest update, the company said users can expect restoration of the impacted on-premise implementations within 24 hours of the restoration of its SaaS-driven services.

Until then, “All on-premises VSA Servers should continue to remain offline until further instructions from Kaseya about when it is safe to restore operations.  A patch will be required to be installed prior to restarting the VSA and a set of recommendations on how to increase your security posture,” Kaseya saidOpens a new window .

See Also: Lessons From the Colonial Hack: Law Enforcement Action Isn’t Enough To Defeat Ransomware

Advisory for Kaseya Ransomware Attack Victims

The Cybersecurity and Infrastructure Security Agency (CISA) and the FBI are currently engaged in the investigation of the incident. The two federal bodies issued a joint advisoryOpens a new window on Sunday, urging victims as well as probable victims to report to the FBI’s Internet Crime Complaint Center (IC3Opens a new window ), and follow guidelines provided by KaseyaOpens a new window .

Some steps advised by CISA and FBI include:

• Download and setup Kaseya VSA Detection ToolOpens a new window to find the presence of any IoC
• Use multi-factor authentication (MFA)
• Use a virtual private network/firewall
• Limit remote monitoring and management communication with only known IP addresses
• Ensure backups are done regularly
• Remove automated patch management and installation. DO it manually
• Implement the principle of least privilege

Closing Thoughts

There’s a good chance that the attack was deliberately timed to coincide with the 4th of July weekend, a national holiday, since teams may not be available to oversee any discrepancies in the systems or networks.

“It appears to have caused minimal damage to U.S. businesses, but we’re still gathering information,” said POTUS Joe Biden on Tuesday. “I feel good about our ability to be able to respond.”

This attack comes only a couple of weeks after POTUS Joe Biden assured the American public of a conveying to Russian President Vladimir Putin at the Geneva summit in June, that the US would respond resolutely if attacks continue to originate from Russia.

SolarWinds is widely considered to have originated from Russia. The Darkside ransomware gang which carried out the Colonial Pipeline hack in May has roots in Eastern Europe, while the ransomware group that attacked JBS is believed by the White House to be from RussiaOpens a new window .

Ransomware attacks certainly have touched new heights in 2021. Kevin BeaumontOpens a new window , a former Microsoft threat intelligence analyst and currently the head of the security operations center at Arcadia Group discovered 23 new ransomware and extortion victims in the first three days of last week. He also tracked 43 new organized ransomware gang incidents before midday on Monday.

Beaumont said “The threat is becoming overwhelming and I believe an existential crisis for the security industry, and so their customers. We are stuck in a self-eating circle, and it’s time to ask for help.”

Update | July 23, 2021

Almost three weeks after the Kaseya ransomware incident, the software vendor has obtained a universal decryptor and is working with antimalware provider Emsisoft to assist all of the nearly 1,500 downstream victims to decrypt the encrypted data and systems. “We can confirm that Kaseya obtained the tool from a third party and have teams actively helping customers affected by the ransomware to restore their environments, with no reports of any problem or issues associated with the decryptor,” the company said in an updateOpens a new window .

What the company can’t confirm is whether it forked out the ransom demanded by the REvil gang. The company told BleepingComputerOpens a new window that they “can’t confirm or deny that.”

Let us know if you enjoyed reading this news on LinkedInOpens a new window , TwitterOpens a new window , or FacebookOpens a new window . We would love to hear from you!