On 02 July 2021, details started to emerge of a sophisticated supply-chain attack targeting Kaseya VSA, virtual system administrator software used to manage and monitor customers’ infrastructure. Researchers initially attributed this attack to ransomware gang “REvil” (aka Sodinokibi), whose members claimed responsibility in a press release on their dark-web data-leak site, Happy Blog.

Kaseya VSA is commonly used by managed service providers (MSPs) in the US and UK to help them manage their clients’ systems. As such, compromising this product also enabled the ransomware operators to gain privileged access to thousands of MSPs’ customers’ devices, given the high level of trust that IT monitoring software usually requires.

At the time of writing, the number of companies affected by this ransomware supply-chain attack is still unclear. Kaseya’s CEO, Fred Voccola, claimed on 03 July 2021 that “fewer than 40 worldwide” customers were impacted. However, the number of organizations is likely to be exponentially bigger than that, given that compromised MSPs will, in turn, affect their clients’ systems as well. REvil operators claimed in their press release that more than one million victims were “infected” but this needs to be taken with a pinch of salt.

Digital Shadows (now ReliaQuest) is keeping a close watch on the developing situation associated with this event and will provide updates as new details emerge. For now, we have decided to publicize what we know so far, review the connection to Sodinokibi, and highlight some measures to take while this event is still unfolding. 

How did the campaign unfold?

REvil operators conducted a sophisticated supply-chain attack to exploit malicious Kaseya VSA product updates, to distribute ransomware across the American IT giant’s customers. Let’s see in detail how the campaign unfolded.

Initial access

Initial Access

Multiple reports point to the observation that REvil seems to have used a zero-day vulnerability to remotely access on-premise VSA servers. Apparently, the vulnerability had already been disclosed to Kaseya by security researchers from the Dutch Institute for Vulnerability Disclosure (DIVD) and was in the process of being fixed; however, REvil affiliates were faster and weaponized it to breach multiple Kaseya customers. 

Technical details of the vulnerability are still unknown. However, the ability of the REvil operators to put their hands on this undisclosed exploit speaks volumes about the increasing sophistication of this ransomware group. The exploitation of zero-day vulnerabilities was once seen as exclusive to highly capable state-sponsored advanced persistent threat (APT) groups; these days, the professionalization and immense resources available to ransomware gangs have significantly expanded their destructive potential.

Execution

Execution

The REvil ransomware is delivered via a malicious update through Kaseya VSA. The update is automatically rolled out across Kaseya’s MSPs and their customers’ systems, disguised as a management agent update. 

Lateral movement

Lateral movement

Like the vast majority of IT management and monitoring products, Kaseya is operated with high-level administrator privileges among its users’ networks and systems. Although this is a standard set-up for this kind of product, it means the attackers that compromised Kaseya VSA now have the same privileges, and can freely propagate. 

Impact

Impact

REvil and other ransomware groups are financially motivated. Consequently, it makes sense for them to encrypt the compromised networks and demand a ransom to restore them. This ransomware supply-chain attack’s main targets were the MSPs and not their customers; the initial ransom demanded from the MSPs was set at USD 5 million each; the customers of the MSPs faced a lower demand, of USD 44,999.

Correspondence between the attackers and their victims indicated that the REvil affiliates were not honoring these initial demands. Based on the correspondence, the affiliates demanded between USD 40,000 and USD 45,000 per individual encrypted file extension. For a victim organization that stated that they had more than a dozen encrypted file extensions, the attackers demanded a sum of USD 500,000 to decrypt the entire network.

In other correspondence, the attackers stated that they did not perform any actions other than encrypting the networks. This suggests they did not steal victims’ files, which is the typical course of action in ransomware attacks using the double extortion method (attackers steal files and publish them on dedicated data-leak sites to pressure victims into paying the ransom).

Additionally, REvil offered a universal decrypting tool for 70 million dollars in Bitcoin. This universal decrypting tool would allegedly allow all victims to regain access to their systems within an hour. It is realistically possible that the attackers were capitalizing on the panic among the victims, which included the customers of the affected MSPs, to drive them into pooling funds for that universal decrypting tool.

REvil Ransom
REvil ransomware infection notice (Source: Twitter)

Interestingly, as you can see from the screenshot above, REvil has been asking for the ransom to be paid in Monero (XMR) rather than Bitcoin (BTC). As we discussed in our blog about cryptocurrency attacks to be aware of in 2021, cybercriminals are increasingly moving toward privacy-focused cryptocurrencies, such as Monero, for their operations. It is likely that ransomware groups have noticed a trend in law-enforcement operations being able to locate and seize Bitcoin wallets in recent months (see the aftermath of the Colonial Pipeline attack) and have started to steer away from Bitcoin when possible.

Who is the group behind this attack?

After an initial unconfirmed attribution to the REvil (aka Sodinokibi, Sodin) operators, they confirmed being behind the attack in the press release on their data-leak site. REvil is ransomware that was first observed in April 2019. Since then, the ransomware has been actively used in campaigns targeting organizations worldwide and across a wide range of sectors. In a similar fashion to other prominent ransomware groups, the REvil operators have often adopted the popular method of exfiltrating sensitive data from their targets and threatening to release it on their dark-website to increase pressure on victims. 

REvil Portal
A view of Digital Shadows (now ReliaQuest)’ Search Light (now ReliaQuest GreyMatter Digital Risk Protection)™ REvil (aka Sodinokibi) threat profile

REvil operates as a Ransomware-as-a-Service (RaaS) criminal operation. REvil affiliates have been observed using a variety of methods to compromise victims in the past. Along with phishing and malvertising, REvil frequently made use of software vulnerabilities to spread and compromise victims. 

This ransomware supply-chain attack is not the first time REvil has targeted MSPs. Back in June 2019, REvil used remote management tools to deploy ransomware on MSPs’ customers’ systems; this indicates that the event observed over the past weekend was a tried-and-tested operation, rather than improvised. Corroborating this assessment is the fact that the attackers deliberately chose the 4th of July weekend to target Kaseya VSA, timing their activity with the US Independence Day holiday in hopes of generating maximum chaos when few security professionals were in their (home) offices to respond to the threat.

Useful resources

As we mentioned earlier, we will continue to update this blog to reflect the most up-to-date details pertaining to this campaign. In the meantime, we have compiled a list of useful resources:

  • Kaseya update page: hxxps://helpdesk.kaseya[.]com/hc/en-gb/articles/4403440684689-Important-Notice-July-4th-2021 
  • Kaseya REvil GitHub configuration dump: hxxps://gist.github[.]com/fwosar/a63e1249bfccb8395b961d3d780c0354
  • Reddit thread: hxxps://www.reddit[.]com/r/msp/comments/ocggbv/crticial_ransomware_incident_in_progress/ 

Shadow Search (now ReliaQuest GreyMatter Digital Risk Protection)™ recommendations

If you’re a Digital Shadows (now ReliaQuest) client, we have consolidated a list of Shadow Search (now ReliaQuest GreyMatter Digital Risk Protection) queries you can use to stay on top of details as they emerge:

INDICATOR QUERY:  

type=[indicator feeds] AND “kaseya”

KASEYA INFORMATION QUERY VIA THREAT INTEL FEEDS: 

(type=[blog posts] OR type=[intelligence incidents]) AND “kaseya” AND date=[now-7d TO now]

THREAT ACTOR REVIL SPECIFIC QUERY: 

(“revil” OR “sodinokibi”) AND (type=[Blog posts] OR type=[Intelligence])

QUERY FOR DISCUSSIONS ON FORUMS, CHATS, AND MARKETPLACES: 

(“kaseya” OR “sodinokibi” OR “revil”) AND (type=[Forum posts] OR type=[Chat messages] OR type=[Marketplace listings])

QUERY FOR RELATED VULNERABILITIES: 

(“kaseya” OR “sodinokibi” OR “revil”) AND (type=[Vulnerabilities & Exploits]) date=[now-6M TO now]