beeboys - stock.adobe.com

REvil crew wants $70m in Kaseya ransomware heist

Two days after one of the largest ransomware attacks in history by the REvil/Sodinokibi gang, the security community is assessing its next moves, while over 1,000 victims remain in limbo

More than 1,000 different organisations around the world – including many small and medium-sized enterprises (SMEs) – remain locked out of critical IT systems over 48 hours after a REvil/Sodinokibi ransomware attack against IT managed service providers (MSPs) orchestrated via a compromise of Kaseya’s VSA endpoint management and network monitoring service.

The supply chain attack unfolded on Friday 2 July ahead of the 4 July holiday weekend in the US. As of 4am UK time on Monday 5 July, Kaseya’s VSA software-as-a-service (SaaS) datacentres and impacted customer on-premise servers remained offline with a current goal of restarting the datacentres some time within the next 24 hours, after which Kaseya will begin the process of scheduling patching for on-prem customers.

About an hour earlier, the operators of REvil claimed credit for the attack in a notice published to their dark web leak site, known as the Happy Blog. The gang said it had infected a million systems and has demanded a ransom of $70m in bitcoin to provide a universal decryptor. It said this would enable everyone to regain access to their systems and data in less than an hour, although it is highly unlikely the process would be that smooth. If paid, the ransom would probably be the largest sum ever extorted by a ransomware crew.

Researchers from SME cyber specialist Huntress – one of the first responders “on scene” on Friday evening – say they are currently tracking 30 MSPs in the US, Australia, Europe and Latin America that have fallen victim to the attack. They said they had confirmed REvil accessed Kaseya’s VSA service by exploiting an SQL injection vulnerability and are confident that they used an authentication bypass to access the servers.

The attack has also attracted high-level attention, with alerts from various government agencies around the world, while US president Joe Biden, who recently tackled Vladimir Putin over the fact that ransomware gangs are seemingly allowed to operate from within Russia with impunity, has announced an investigation.

Timing is everything

Check Point’s Ian Porteous, regional director of security engineering for the UK and Ireland, said the timing of the attack to coincide with a major US holiday was a clear choice by REvil. “They picked the weekend as they know that company IT staff go offline and companies are often on a skeleton crew, where eyes aren’t watching,” he said.

“This helps the threat actors in a few ways – it allows the ransomware to be fully deployed before anyone notices and it induces more panic during response operations if key players within the victims’ environment are unavailable to respond, possibly increasing the chances that a ransom demand will be paid.”

Collateral damage

As a consequence of this, it is also likely that many organisations have either only just discovered, or are about to discover, that they have become collateral damage from an attack that targeted only a small number of MSPs, so the true number of businesses impacted will almost inevitably climb from the current estimate of around 1,000.

Among the businesses that have already come forward is Swedish supermarket chain Coop, which is not a Kaseya customer itself. The chain was forced to close hundreds of branches across Sweden after its point-of-sale systems failed when its software provider was taken out in the attack. At one point, some of the chain’s outlets were seen giving away fresh produce for free to avoid waste.

IT complexity

Charl van der Walt, head of security research at Orange Cyberdefense, said the Kaseya attack was a consequence of several diverse factors coming together that, collectively, make such incidents a virtual inevitability. Of these, he said, the most important is IT interdependence – IT systems and their users do not operate in isolation and therefore breaches or compromises in such cases are never restricted to the primary target – in this instance, Kaseya’s customers.

“We simply cannot afford to think of our own security as isolated or separate from the security of our technology product or service providers, or from the myriad other business entities or government agencies we share technology with,” said van der Walt. “A shared dependency on core technologies, vendors, protocols or core internet systems like DNS or CDNs bind businesses together just as tightly as fibre links and IP networks. Businesses, in turn, also bind together the suppliers who depend on them, the industries they belong to, the countries they operate in and, eventually, the entire global economy.

“By their very nature, supply chain attacks provide the attacker with vast scope and scale, even if they take more resources and time to perpetrate. The frequency of these attacks is therefore not as important as their impact. Given the persistence of the systemic forces that enable these attacks, we anticipate that they will increase in both frequency and impact.”

Hitesh Sheth, president and CEO of Vectra AI, said he hoped the attack would prompt a discussion on the cyber security issues that dog the IT services business model. “When your business relies on a product like Kaseya VSA, you’re only as secure as your provider,” he said. “When more businesses outsource critical functionality to the cloud, the Kaseya case suggests heightened risk.

“How much do these businesses really understand about their vendors’ security posture? Is there sufficient emphasis on rapid attack detection? The answers matter as much to customers as to the MSPs themselves – because in a security failure, it’s the customers who field the ransom demands.”

A warning from recent history

More widely, said Sheth, the attack extended a clear pattern that businesses have been “too slow to recognise”.

As in the SolarWinds incident, REvil infiltrated one service provider connected to a long list of targets,” he said. “It’s an efficient way to inflict multiple clusters of damage in a single blow. Because SolarWinds was so successful, we should have seen a rerun coming.

“It’s been more than half a year since the SolarWinds case was discovered. Since then, how many systematic security audits have occurred of managed service providers and SaaS vendors? In a successful cyber attack, these organisations become unwitting distribution hubs for havoc. Each incident like this teaches a lesson – but we have to be listening.”

Shut it down

In the meantime, in the vanishingly unlikely event that your organisation is running Kaseya VSA, it should be shut down right now, although it is probably too late, said Porteous, who added: “Use EDR, NDR and other security monitoring tools to verify the legitimacy of any new files in the environment since 2 July; check with security product vendors to verify protections are in place for REvil ransomware; and if help is needed, call in a team of experts to help verify the situation within the environment.”

More resources on the Kaseya incident

Read more on Hackers and cybercrime prevention