REvil Ransomware Kaseya Supply-Chain Attack Summary

REvil Ransomware Kaseya: Ransomware attacks on Colonial Pipeline, JBS Foods, Kaseya and other major organizations are in the headlines, and threat actors show no sign of slowing down. Hackers are exploiting security weaknesses and holding companies, governments, and healthcare organizations hostage around the globe, sometimes demanding tens of millions of dollars in payment.

The recent supply-chain attack on Kaseya by the REvil ransomware gang (aka Sodinokibi) began on July 2, 2021 and propagated through Kaseya’s VSA cloud-based solution used by managed service providers (MSPs) to monitor customer systems and for patch management. In that instant the attack mimicked a “Direct Cyber Action” a military style attack technique and tactic.

With LIFARS on retainer a cybersecurity incident or a data breach will be handled with the highest priority under strict SLAs. Have your own Computer Security Incident Response Team on call and ready for deployment as your private 911 cyber-emergency

REvil on their ‘Happy Blog’: “On Friday (07/02/2021) we launched an attack on MSP providers. More than a million systems were infected. If anyone wants to negotiate about universal decryptor – our price is 70,000,000$ in BTC”

Below is a sample of the message received on an infected endpoint. The demand for infected users is $44,999 USD:

The initial access happened through the delivery of a malicious “update” payload to internet-accessible Kaseya VSA servers which, in turn, delivered the payload to the MSP VSA agents running in managed Windows platforms. The initial compromise of the server platform is thought to have leveraged a zero-day exploit.

The Kaseya VSA platform drops a base64 encoded file (agent.crt) to Kaseya’s working directory, C:\kworking folder. Given the encoding, malware defenses based on static analysis or machine learning do not pick the file as malicious. Moreover, the installation instructions for Kaseya VSA requires to exclude certain directories from protection.

REvil disables the Windows Defender real-time protection, as well as:

• Network protection against vuln. Exploitation
• Scanning of all downloaded files and attachments
• Scanning of scripts
• Ransomware protection
• Protection against access to dangerous domains that may host phishing scams
• Exploits and other malicious content on the Internet
• And the sharing of potential threat information with Microsoft Active Protection Service, and the automatic sample submission to Microsoft.

For more specifics on the attack methods and vector of compromise register for the LIFARS REvil Ransomware Intel update webinar here.

More information:

• CISA-FBI Guidance for MSPs and their Customers Affected by the Kaseya VSA Supply-Chain Ransomware Attack
• Kaseya updates Regarding VSA Security Incident
• DFIR_Resources_REvil_Kaseya/IOCs at main cado security/DFIR_Resources_REvil_Kaseya · GitHub
• Download the LIFARS “REvil Sodinokibi Ransomware Case Study” Technical Guide