Kaseya VSA Ransomware Attack
REvil used a ‘zero day attack’ to exploit Kaseya software and it was not a phishing method. Hundreds of companies, including a railway, pharmacy chain and grocery chain in Sweden, were directly
Ransomware attacks are on the rise. Prepare your organization by following risk mitigation steps.
On Friday July 2, 2021 thousands of victims suffered ransomware attacks in at least 17 countries, largely through firms that remotely manage IT infrastructure for multiple customers. It was believed to be the single biggest global ransomware attack on record, with some details emerging about how the Russia-linked gang responsible breached the company whose software was the conduit.
The Details
Kaseya Virtual System Administrator (VSA) is a Remote Monitoring & Management Software. A Miami-based company that provides tech-management tools to customers worldwide.
REvil used a ‘zero day attack’ to exploit Kaseya software and it was not a phishing method. Hundreds of companies, including a railway, pharmacy chain and grocery chain in Sweden, were directly hit by the supply-chain attack on software company Kaseya.
Ransomware gangs similar to ‘REvil’ usually examine a victim’s financial records — and insurance policies if they can find them — from files they steal before activating the ransomware. The criminals then threaten to dump the stolen data online unless paid. In this attack, that appears not to have happened so far.
It is believed that the criminals didn’t just exploit Kaseya code in breaking into the network but also exploited vulnerabilities in third-party software
Ransomware
REvil was demanding ransoms of up to $5 million, the researchers said. But late Sunday it offered in a posting on its dark web site a universal decryptor software key that would unscramble all affected machines in exchange for $70 million in cryptocurrency. The $70 million ransomware demand was posted to a dark-web blog typically used by REvil, the Russia-linked cybercrime gang behind the attack that crippled the U.S. operations of meat processor JBS.
Victims
Hundreds of companies, including a railway, pharmacy chain and grocery chain in Sweden, were directly hit by the supply-chain attack. At least 36,000 were indirectly affected by the attack because Kaseya advised all its customers to take their on-premise servers offline Friday. REvil, the Russia-linked hacking group behind the attack on meat processor JBS, is linked to the Kaseya attack.
As of July 5, 2021 Kaseya reported that fewer than 60 customers, all of whom were using the VSA on-premises product, who were directly compromised by this attack. Many of these customers provide IT services to multiple other companies and the total impact has been to fewer than 1,500 downstream businesses.
REvil
REvil (Ransomware Evil; also known as Sodinokibi) is a private ransomware-as-a-service (RaaS) operation. After an attack, REvil would threaten to publish the information on their page ‘Happy Blog’ unless the ransom is received.
Similar to DarkSide, ‘REvil’ recruits affiliates to distribute the ransomware for them. As part of this arrangement, the affiliates and ransomware developers split revenue generated from ransom payments. It is difficult to pinpoint their exact location, but they are thought to be based in Russia due to the fact that the group does not target Russian organizations, or those in former Soviet Union countries.
Ransomware code used by REvil resembles the code used by DarkSide, REvil’s code is not publicly available, suggesting that DarkSide is an offshoot of REvil or a partner of REvil.
REvil and Darkside use similarly structured ransom notes and the same code to check that the victim is not located in a Commonwealth of Independent States (CIS) country. It is believed that REvil is an offshoot from a previous notorious, but now-defunct hacker gang, GandCrab.
This is suspected due to the fact that REvil first became active directly after GandCrab shutdown, and that the ransomware both share a significant amount of code
US Government
President Joe Biden had “directed the full resources of the government to investigate this incident” and urged all who believed they were compromised to alert the FBI.
“The initial thinking was it was not the Russian government, but we’re not sure yet,” President Biden told reporters on Saturday. “If it is either with the knowledge of and/or a consequence of Russia, then I told Putin we will respond.” FBI and CISA actively conducting the investigation
Recommended Steps to mitigate Ransomware attacks
The Biden administration is urging businesses to take “immediate steps” to increase their ransomware defenses in the wake of several high-profile cyberattacks
Implement the five best practices from the President’s Executive Order:
President Biden’s Improving the Nation’s Cybersecurity Executive Order is being implemented with speed and urgency across the Federal Government. We’re leading by example because these five best practices are high impact:
multifactor authentication (because passwords alone are routinely compromised), endpoint detection & response (to hunt for malicious activity on a network and block it), encryption (so if data is stolen, it is unusable) and a skilled, empowered security team (to patch rapidly, and share and incorporate threat information in your defenses). These practices will significantly reduce the risk of a successful cyberattack.
Backup your data, system images, and configurations, regularly test them, and keep the backups offline: Ensure that backups are regularly tested and that they are not connected to the business network, as many ransomware variants try to find and encrypt or delete accessible backups. Maintaining current backups offline is critical because if your network data is encrypted with ransomware, your organization can restore systems.
Update and patch systems promptly: This includes maintaining the security of operating systems, applications, and firmware, in a timely manner. Consider using a centralized patch management system; use a risk-based assessment strategy to drive your patch management program.
Test your incident response plan: There’s nothing that shows the gaps in plans more than testing them. Run through some core questions and use those to build an incident response plan: Are you able to sustain business operations without access to certain systems? For how long? Would you turn off your manufacturing operations if business systems such as billing were offline?
Check Your Security Team’s Work: Use a 3rd party pen tester to test the security of your systems and your ability to defend against a sophisticated attack. Many ransomware criminals are aggressive and sophisticated and will find the equivalent of unlocked doors.
Segment your networks: There’s been a recent shift in ransomware attacks – from stealing data to disrupting operations. It’s critically important that your corporate business functions and manufacturing/production operations are separated and that you carefully filter and limit internet access to operational networks, identify links between these networks and develop workarounds or manual controls to ensure ICS networks can be isolated and continue operating if your corporate network is compromised. Regularly test contingency plans such as manual controls so that safety critical functions can be maintained during a cyber incident.