On Friday, U.S. software developer Kaseya Ltd. was hit with the ransomware REvil attack, which focused on Kaseya VSA software, in an attack that affected multiple hosting providers and more than a thousand of their customers.
Kaseya, an IT company from Sweden, was granted a Kaseya VSA (Virtual System Administration) patent and a connection algorithm patent by the US Patent Office in 1999. Kaseya VSA is a cloud-based MSP platform that allows providers to perform patch management and client monitoring for their customers, offering customers a web-based next-generation automated IT systems management solution. MSP is a business that provides 24×7×365 system management services for enterprises by establishing their own Network Operating Center (NOC, Network Operating Center). MSP can realize remote management, real-time monitoring and statistics on the operation of enterprise systems.
In order to obtain better service, when choosing MSP, companies generally choose product brands with strong market share. Kaseya is such a brand. So far, Kaseya has more than 10,000 customers around the world, including more than 50% of the world’s top 100 IT management service providers and major leading enterprises, from the banking, financial, retail, Trade, educational institutions, government agencies, medical institutions and transportation industries. By the end of 2011, more than 13 million terminals and devices worldwide were managed through Kaseya’s software.
Why Kaseya?
Kaseya was chosen to be the target of this supply chain attack precisely because many large enterprises and technology service providers have chosen to use the Kaseya VSA.
Supply chain attacks are a type of attack targeting software developers and suppliers. Attackers infect legitimate applications and distribute malware by finding insecure network protocols, unprotected server infrastructure, and insecure coding practices in the application.
Typically, software is built and distributed by trusted vendors, so these applications and updates are signed and certified for security. In a software supply chain attack, the vendor may be unaware that their application or update has been infected with malicious code when it is released to the public, so once the supply chain attack is successful, the malicious code will run with the same trust and permissions as the application.
MSPs are a high-value target for ransomware gangs, providing an easy channel to infect many companies with a single vulnerability, but launching an attack requires a deep understanding of MSPs and the software they use.
REvil is a good player. REvil has a branch that is well versed in the technologies used by MSPs and has long conducted research on these companies and their commonly used software. Like other ransomware, REvil’s ransomware locks the victim’s computer until the victim pays a digital ransom in the form of Bitcoin.
Will Kaseya pay the ransom?
Not only did REvil carefully select their prey to be safe, they even carefully timed their attack. Typically, most large-scale ransomware attacks take place late at night on weekends, when fewer people are monitoring the network. Instead, REvil chose to launch the attack at noon on Friday, with employees likely to work shorter and less productive hours ahead of the upcoming weekend.
REvil’s well-orchestrated attack went fairly smoothly. On Friday, Kaseya received reports from customers that endpoints managed by the Kaseya VSA on-premises product were behaving abnormally, shortly after Kaseya further discovered that ransomware was being executed on the endpoints. Based on user reports, Kaseya’s executive team quickly convened a meeting and decided to take two steps to stop the spread of the malware: sending a notification to local customers asking users to shut down their VSA servers and shutting down Kaseya’s VSA SaaS infrastructure.
Through investigation, Kaseya’s security team discovered that the ransomware used a vulnerability in Kaseya VSA and announced that a patch would be released soon. The cyber attack is said to be the largest ever launched by REvil, with eight known large MSPs compromised and may have infected as many as 40,000 computers worldwide.
According to information posted on darknet blogs, the REvil ransomware gang claims to have locked down more than 1 million systems.
The translation reads: Last Friday (02.07.2021) we launched an attack on MSP suppliers. Over 1 million systems were infected. If anyone wants to negotiate a universal decryptor – our price is $70000000 (BTC), we will release the decryptor publicly, decrypt all victims’ files, so everyone will be able to recover from the attack in less than an hour . If you are interested in such a transaction, please contact us by following the victim’s “readme” file instructions.
So far, Kaseya has not indicated whether it will consider paying the ransom. According to the official information, more and more MSPs, dealers and their customers have been affected by the attack. Kaseya stated that it will continue to investigate and publish information to try to reduce the loss of customers.
Repeat offender REvil, commits crimes too often
$70 million sounds like an astronomical sum, but this isn’t the first time REvil has made a big splash. In May 2020, REvil claimed to have deciphered the elliptic curve cryptography used by Donald Trump’s company to protect its data, and demanded a $42 million ransom for the data they stole.
Initially known for stealing nearly a terabyte of information and extorting ransom from Grubman Shire Meiselas & Sacks, a law firm serving global film and television entertainment superstars, REvil has since partnered with Lady Gaga, Elton John, Robert The names of well-known superstars such as De Niro and Madonna are closely linked.
After making a name, as a “star” in the hacking world, REvil’s crime frequency can be rated as a model worker, and in 2021 alone, it will frequently occupy front-page headlines with its frequency of at least one crime per month.
On March 18, REvil affiliates claimed on the Internet that they had installed ransomware and stole large amounts of data from multinational hardware and electronics company Acer, and demanded a ransom of $50 million.
On March 27, REvil attacked the Harris League and posted multiple financial documents of the league on its blog.
In April, REvil stole plans for Quanta Computer’s upcoming Apple products and threatened to release them publicly unless they received a $50 million ransom.
On May 30, JBS, the world’s largest meat supplier, was hit by the REvil ransomware, which forced the company to temporarily shut down all U.S. beef plants and disrupt operations at its poultry and pork plants. In the end, JBS paid REvil an $11 million bitcoin ransom.
On June 11, global renewable energy giant Invenergy confirmed that its operating systems had been attacked by ransomware, for which REvil claimed responsibility.
Just two days in July, REvil couldn’t hold back his shot at Kaseya.
Why does the victimized company only smash its teeth and swallow it?
In addition to the organization itself, REvil has recruited a number of affiliates to distribute ransomware for them, and both these affiliates and the ransomware developers will profit from the revenue generated by paying the ransom, which also means that the final ransom will go to multiple places, so REvil The exact location of the gang is difficult to determine.
For this organization, governments of various countries also hate it, and have ordered severe crackdowns on many occasions. Unfortunately, the previous incidents basically ended successfully with REvil extortion. How will this Kaseya incident end?