REvil Ransomware Kaseya

On July 2nd, the Russian cyberattack group REvil launched a ransomware attack on software supplier Kaseya. Kaseya is an IT solution provider geared towards working with enterprises and MSPs, and Kaseya says that over 40,000 organizations around the world use at least one of their software solutions. More specifically, along with services like compliance systems, services desks, and a services automation platform, Kaseya offers a tool called VSA which allows for remote monitoring and managing of networks and endpoints for its clients. It was against this VSA tool that REvil launched their attack.

It began at about 2 PM EDT on July 2 when Kaseya detected a potential attack against VSA that prompted CEO Fred Voccola to urge clients to shut down their VSA servers. It was urgent that clients shut down their VSA servers, as upon entry, REvil would “shut off administrative access to the VSA.” While at this time it was believed the attack was limited to a “small number of on premise customers,” by July 4 the company changed their stance to say that they were the “victim of a sophisticated cyberattack.” However, they were correct in saying that mostly on-premise clients who had their own data centers made up the majority of victims, but they also shut down cloud services as a precaution. In an update on July 5, Kaseya said that they had developed a fix for the vulnerability that would be deployed once testing was completed. The timing of the attack took advantage of the Fourth of July holiday weekend, where most offices would be lightly staffed from the afternoon of July 2 to July 6. This meant that affected organizations may not have known they were attacked until up to four days after the initial attack, when it would be far too late to save their system and most to all of their files would be encrypted.

It is believed that the attack began when REvil took advantage of a vulnerability in the authentication system on the Kaseya VSA web interface which allowed them to circumvent authentication controls and upload a malicious payload onto the VSA servers. The attackers pushed through this malicious payload, which contained ransomware, as a fake software update for VSA. Clients, believing the update was legitimate, would download the package, which would then begin to encrypt files and lock access to the computer’s data. Due to requirements by Kaseya, VSA had almost unrestricted access to the computer system, meaning that there was nothing clients could do to stop the process once it began. Since REvil attacked VSA servers directly, they only had to attack one organization that would distribute the attack rather than having to attack each MSP and its clients individually.

The impact of this attack runs very deep. Kaseya has confirmed that around 60 customers have been affected by this attack. Since most of Kaseya’s customers using the VSA software are MSPs, this means that their clients were affected as well. Kaseya suspects the total reach of affected systems to be about 1,500 businesses, and REvil posted that they have infected upwards of a million individual devices . However, the actual number of infected devices could actually be even higher then we currently know, as many organizations are hesitant to report when they are victims of attacks. The residual effects of the attack are already being felt. For example, the Swedish supermarket company Coop had to shut down over half of its stores late last week as they were unable to open cash registers. They were one of the organizations that was hit indirectly by the attack, as they were impacted through a software supplier that was directly attacked.

REvil immediately started to make demands in terms of payout to stop the attack. Reports early on indicated that the gang demanded between $500,000 and $5 million from larger targets, but were demanding around $45,000 from most. They have made their ultimate offer recently, demanding $70 million in cryptocurrency in exchange for a universal key that would decrypt all systems. The thought is that REvil thinks that insurance companies may determine that paying the $70 million ransom would be cheaper than extended downtime, which will lead them to pay.

MSPs (Managed Service Providers) will continue to be targeted by this type of attack because of their access to all of their customers.  CIT has been a major contributor to the security of the MSP community.  We help write the CIS Controls and sponsored legislation for governance of MSP’s.  Lawrence Cruciana presented with CIS and MITRE at RSAC 2021 on The State of Security in SLTT and SMB Organizations.  Last year he presented with ChannelPro CyberSecurity Summit on Mastering Managed Security.  This week he is presenting to MSP’s at ChannelPro on Zero Trust and will again present with ChannelPro in August on Security Checklist.  We know what it takes to keep our customers secure.

Although CIT does not use Kaseya, one of our customers had the agent from another vendor for support. Within 7 minutes of discovery, it was removed from the system. We then tested our layered security against this vulnerability and found that we were able to stop it. While this attack is far reaching and intimidating, CIT can help your organization prepare for incidents like this. Our service team has already helped clients avoid falling victim to this attack and our standard set of security controls would/is blocking this attack.

Don’t Gamble with Your Security!

Corporate Information Technologies provides small to mid-market organizations with expert I.T. services including compliance assessment, cybersecurity penetration tests, and comprehensive business continuity planning services. Corporate Information Technologies can help organizations, quantify, create, refine, and mitigate the risks presented by business threatening disasters in whatever form they may be disguised.  Contact Us

Written by: Michael Honrine

Comments are closed

Learn More
error: Alert: This Content is protected!