Kaseya VSA supply chain ransomware attack

Overview:

OnHundreds of businesses worldwide were hit by a highly sophisticated ransomware attack on Friday, July 2nd, 2021. This is another supply chain attack in the aftermath of the infamous SolarWinds attack earlier this year, and this one seems to be completely financially motivated. Keseya VSA software was used in this attack to try to infect and encrypt the targeted companies.

Kaseya VSA is a network management and monitoring platform used by multiple MSPs (Managed Service Providers) to provide network management and monitoring services to their clients. This means that if the MSP is infected with the threat, it can spread to any clients being serviced by the MSP. Initial investigations of the attack have revealed that it's utilizing a vulnerability of Kaseya VSA software for On-Premise server deployments. It is unknown if that same issue exists on the SaaS and Hosted VSA servers.

Kaseya and Colonial:

REvil or Sodinokibi, the ransomware gang behind the attack, is thought to be a branch of the infamous organization GrandCrab. Ransomware as a service is offered by the REvil organization. It hires affiliates to target businesses and offers the services needed to carry out an end-to-end ransomware attack. It's worth noting that REvil's ransomware malware closely matches that employed by DarkSide, the hacker gang behind the Colonial pipeline assault. REvil's source code isn't publicly accessible, implying that DarkSide is working with REvil.

Details of the Attack:

The complete attack chain for the REvil assault has yet to be uncovered, however the REvil payload is known to be delivered through a Kaseya software update. The update delivers an old, but legitimate, copy of Windows Defender (MsMpEng.exe) and a malicious loader. MsMpEng.exe then side loads and executes the custom loader's export.

REvil ransomware has extremely advanced encryption capabilities, encrypting data on the targeted machine with four distinct public-private keys. Obtaining the decryption key for one campaign or one victim does not result in decryption of data on other machines or other attacked organizations.

Impact:

There is no other ransomware operation that comes close to the magnitude of this one. The attack has hit at least 200 companies throughout the United States. The cash registers at Coop's 800 shops in Sweden were shut down, thus they were unable to open. The Swedish State Railways were also impacted, as was a large local drugstore chain. The current estimate of victims is in the tens of thousands. Known victims have come from at least 17 different countries ranging all over from the United Kingdom to Mexico.

SecurityAdvisor Employee Tips :
Keep your OS, Browsers and applications updated with latest security patches.
Review, delete and deprecate any unused accesses / credentials.
Move offline any unused public facing applications, portals and domains.

Learn how SecurityAdvisor can help your team

Schedule some time to talk with one of our experts and they will show you how we can help your organization.

Request Demo