The holiday weekend almost went off without a hitch before ransomware attackers exploited the Kaseya software platform to launch a widescale ransomware attack. Kaseya is a platform used to help remotely manage IT services, giving attackers access to a number of systems.
How Did the Kaseya Ransomware Attack Unfold?
Mark Loman, ethical hacker and the director of Sophos tweeted about the attack, reporting that affected systems demand a massive $44,999 for the decryption. A note on the Kaseya website urges victims to disable their VSA servers for now, warning that the first things an attacker does is “shutoff administrative access to the VSA.”
Kaseya issued an update about the situation on Saturday, saying that it was advised by experts that customers who were hit with ransomware or received communications from hackers should not click on any links. There is a chance the links could be weaponized or other scams.
News outlets report that the attack targeted six MSPs and has encrypted data on roughly 200 computers. Kevin Beaumont of DoublePulsar offered more details about the attack and how it worked. According to Beaumont, the attack delivered the REvil ransomware through a Kesaya update. The update used the requested administrator privileges to infect systems. After infecting the Managed Service Providers, those providers would then attack any clients they connected to for remote IT services, such as remote backups, system updates, and network management.
The Fallout Following the Kaseya Ransomware Attack
Kaseya released a statement to news outlets saying, “We are investigating a potential attack against the VSA that indicates to have been limited to a small number of our on-premises customers only.” A further notice said that all cloud servers are in “maintenance mode” as a precautionary measure to prevent the attack from spreading further.
Kaseya CEO Fred Voccola issued a statement on Friday saying that the attack hit fewer than 40 MSPs in all and that the company was preparing a patch to close the vulnerability exploited by the attackers.
“While our early indicators suggested that only a very small number of on-premises customers were affected, we took a conservative approach in shutting down the SaaS servers to ensure we protected our more than 36,000 customers to the best of our ability,” Voccola said in the statement. He added that the SaaS customers were never in any danger and that the damage was mitigated to only a very small fraction of Kaseya customers.
Bloomberg reported on Saturday that the attack had rippled out to affect over 1,000 businesses in all. The attack was focused on managed service providers, but those providers offer IT services to other companies and could potentially infect those other companies too. For example, a grocery chain in Sweden was unable to open 800 of its stores after its cash registers were disabled by the attack.
The attack is thought to be connected to the REvil Ransomware, which has already made the news several times this year. REvil was behind attacks on Acer and JBS. The Record suggests that this could be the third time that Kaseya was used to spread REvil ransomware, which has been connected to Russia.
What is REvil Ransomware?
REvil ransomware, also known as Sodinokibi or Ransomware Evil, is part of the Ransomware-as-a-Service (RaaS) industry. Instead of deploying ransomware directly, many cybercriminals are now letting people buy and use ransomware themselves. This is one reason for the increase in ransomware attacks in recent years. It’s something of a black market version of affiliate marketing, with REvil taking up to a third of the money made by the affiliate.
REvil may not be under the control of knowledgeable cyber criminals, but it’s just as malicious as any other ransomware. The ransomware extracted over $11 million in one month through an attack on a U.S subsidiary of the largest meatpacking company in the world, demanded a further $5 million from a medical diagnostics company and attacked dozens, if not hundreds, of companies using Kaseya VSA.
Who is Behind the REvil Ransomware Attack?
Given that the ransomware seemed to suddenly appear from nowhere, it’s surprising to learn that it’s been active since at least 2018. The ransomware was originally working with the GandCrab hacking group. The criminals behind REvil focused on malvertising and exploits to spread ransomware in drive-by downloads, one of the most common ways of spreading malware. The REvil team have even admitted to using the code base for GandCrab to create the REvil ransomware.
The group evolved over time and earned a reputation for extracting massive amounts of data and demanding equally massive ransoms worth millions of dollars. The gang has now become an elite player in the cyber extortion ring and has played an active role in the increasing number of ransomware attacks that continue to plague businesses, governments, and individual users around the world.
REvil Ransomware’s Encryption Routine
Once it gets into your computer, REvil Ransomware will access and scan the drive for all files that are non-executable and in use. The malware then encrypts these files using elliptic curve cryptography (ECC) which creates smaller decryption keys without compromising the effectiveness of the encryption process.
The threat actors typically exfiltrate data and encrypt the computer environment as part of a “double extortion” tactic. If the victim doesn’t pay the ransom as instructed, then the threat actors say they will publish stolen information. Given that victims include major corporations, they can’t afford the risk that trade secrets and intellectual property will get out.
REvil Ransomware Ransom Note
The ransom note tells the victim that their files have been encrypted due to one of three reasons: Files were deleted or lost by mistake; illegal use (such as peer-to-peer sharing) with corrupted files; or someone broke into the computer. The note will also provide a link that the victim must follow to unlock their files. The victim is told that they have three hours to decide whether or not to pay the ransom. If they do not contact the virus developers, they will not be able to recover their files.
What Happens Now?
While REvil does have ties to Russia, U.S President Joe Biden said that the government is unsure if Russia was involved in this particular attack, according to the Washington Post. “I directed the intelligence community to give me a deep dive on what’s happened, and I’ll know better tomorrow, and if it is either knowledge of and/or consequences of Russia, I told Putin we will respond,” he told reporters during a trip to Michigan.
For now, Kaseya has promised to deliver ongoing updates about the situation, with new updates published every three to four hours.