The News: Late on Friday the full impact of the latest REvil ransomware attack hit major news outlets. The REvil ransomware attack on Kaseya, a provider of remote IT security and management services, is wide-ranging and largely impacts SMBs. According to the Kaseya, the company is working with agencies and incident response teams to mitigate the impact of the attack. Read the full release from Kaseya here.
Full Impact of REvil Ransomware Attack Becomes Apparent
Analyst Take: This latest REvil ransomware attack on Kaseya gained enough significance to the point where the White House was compelled to react and provide guidance. From what is emerging, the attack targeted 60 Kaseya clients, 30 of whom were managed services providers (MSPs) and encrypted the data of hundreds of companies, the most prominent of which appears to be Sweden’s Coop grocery store brand. This latest attack carried out by the infamous Russia-based REvil criminal gang is a watershed moment in that it is a combination of both a ransomware and a so-called supply chain attack.
How the REvil Ransomware Attack on Kaseya Attack Happened
Details of the REvil ransomware attack on Kaseya started to emerge as early as Friday afternoon that in order to propagate its ransomware, the attackers exploited a vulnerability in the update mechanism used by Kaseya. The firm develops software used to manage business networks and devices, and then sells these tools to MSPs who then in turn contract with organizations who either don’t want to or who can’t manage their IT infrastructure themselves — typically SMBs.
By leveraging Kaseya’s trusted distribution mechanism, the REvil attackers could effectively sit back and watch the cascade effect of Kaseya’s clients, with the MSPs inadvertently distributing malware to their end customers, thereby amplifying the scale and reach of the attack.
The epicenter of the attack surface was the Kaseya VSA, or the company’s Virtual System/Server Administrator, software that is used by Kaseya customers to monitor and manage their infrastructure. As is increasingly the case with this type of service, it is either delivered as a hosted cloud service by Kaseya, or via on-premises VSA servers. In this cyberattack, these on-premises VSA services were hosted by MSPs who then provided onward service to end clients.
Accessing how code is distributed in the form of updates is known as a supply chain attack and is similar in nature to the SolarWinds attack. The software update in the Kaseya attack went out on Friday July 2 to fewer than 60 customers, however the scale of attack increased when approximately 30 of these clients were MSPs with hundreds of eventual end user customers of their own. It remains unclear whether attackers exploited the vulnerability all the way up the chain in Kaseya’s own central systems. From emerging reports, it appears the more likely scenario is that hackers exploited individual VSA servers managed by MSPs and pushed the malicious updates out from there to MSP customers.
Why Microsoft Windows Defender Didn’t Defend
The REvil attackers also hit, by extension, the VSA agent applications running on the Windows devices of the customers of those MSPs. VSA “working folders” typically operate as a trusted walled garden within those Windows machines, the impact being that malware scanners and other security tools are instructed to ignore whatever these servers are doing, therefore, providing valuable cover to the hackers.
The sequence of the attack appears to have been that once the malware was deposited, it proceeded to run a series of commands to hide the malicious activity from Microsoft Defender, the Windows built-in malware-scanning tool. The final step was that the malware instructed the Kaseya update process to run a legitimate, but expired version of Microsoft’s Antimalware Service, a component of Windows Defender.
Attackers can manipulate this expired version to sideload malicious code, sneaking it past Windows Defender in relative plain sight. Once this control was asserted, the malware then began encrypting files on the victims’ machines. The malware code appears to have even taken steps to make it harder for victims to recover from data backups.
Over the weekend, security researchers globally were starting to piece together details about how the attackers perpetrated the attack and built from their initial beachhead to the ultimate scale and breadth of the attack.
The Timing of the REvil Ransomware Attack on Kaseya Attack Was Unfortunate — and Intentional
The timing of the REvil ransomware attack on Kaseya appears to have been doubly unfortunate for Kaseya and its clients as security researchers had already identified the underlying vulnerability in the Kaseya update system. The Dutch Institute for Vulnerability Disclosure was working with Kaseya to develop and test patches for the flaw. According to reports, the fixes were close to being released but hadn’t yet been deployed when the Russian REvil hackers struck.
Commenting on this latest attack, Sean Gallagher, a senior threat researcher at Sophos stated, “What’s interesting about this and concerning is that REvil used trusted applications in every instance to get access to targets. Usually, ransomware actors need multiple vulnerabilities at different stages to do that or time on the network to uncover administrator passwords.” Going further, he went on to say, “This is a step above what ransomware attacks usually look like.”
According to various reports, the scramble to react to the attack in the last few days has seen the number of VSA servers on the open internet having dropped from 2,200 to less than 140, as MSPs scramble to follow Kaseya’s advice and take these servers offline. Law enforcement in the U.S. has also been scrambling “Although the scale of this incident may make it so that we are unable to respond to each victim individually, all information we receive will be useful in countering this threat,” the FBI said in a statement on Sunday.
What is obvious here is that REvil planned this attack on Kaseya to coincide with the long 4th July weekend celebrated across the U.S., working on the correct assumption that fewer eyes would be focused on computer systems over the long weekend. “Due to the potential scale of this incident, the FBI and CISA may be unable to respond to each victim individually, but all information we receive will be useful in countering this threat,” the agency wrote in a public notice Sunday.
REvil Continues Its Ransomware Attacks — and There’s Financial Incentive to Do So
REvil (Ransomware Evil, also known as Sodinokibi) is a private ransomware-as-a-service (RaaS) operation and is thought to be the same Russian language group that was behind the attack on meat processor JBS. The group posted the demand for $70 million on a dark web site listing its demands. The group wanted the funds delivered in Bitcoin, and went on to say that if it receives the money it will publish a decryptor key that will unlock the victims’ files.
“It’s a mistake to think of this in terms of REvil alone, it’s an affiliate actor over which the core REvil team will have limited control,” says Brett Callow, a threat analyst at the antivirus firm Emsisoft.
Why is REvil being so bold? As my colleagues here at Futurum Shelly Kramer and Fred McClimans have discussed a number of times in their Futurum Tech Webcast, Cybersecurity Shorts series, the REvil group doesn’t work alone — they license their ransomware to a network of affiliates who run their own operations and then simply give REvil a percentage of the ransom monies received. The business model is one where the group needs to continue to undertake attacks to ultimately show a return for their efforts, and they make it easy for threat actors with their Ransomware as a Service offering.
The Far-Ranging Impact of the Kaseya Attack
In an interview with the Associated Press, Kaseya chief executive Fred Voccola estimated the number of affected companies to be in the low thousands, made up almost entirely of small businesses. In an update Monday on its website, the company said, “fewer than 1,500 downstream businesses,” had been affected.
Jake Williams, chief technical officer of the cybersecurity firm BreachQuest, remarked “Given the relationship between Kaseya and MSPs, it’s not clear how Kaseya would know the number of victims impacted. There is no way the numbers are as low as Kaseya is claiming.”
With at least 17 countries affected, what is emerging is the sheer scale of the attack. The most high profile of the victims, the Swedish Coop supermarket chain, was forced to shutter more than half of their 800 supermarkets over the weekend because the malware crippled their cash registers. Some Coop stores remained closed on Monday, but some were able to open by allowing customers to pay by way of an app called Scan and Pay. Experts predict it could take weeks for businesses affected by the ransomware attack to recover. In the case of Coop, the company’s payment provider must physically go to each store and manually restore payment machines from backups — with 800 stores, that’s going to require a lot of manpower.
Also impacted were more than 100 New Zealand kindergartens. Given this global scale and the way the attack rippled out via MSPs serving hundreds of SMB clients, the full scale of the attack will be hard to entirely quantify.
The geopolitical fall-out from this recent attack is still unclear, with Anne Neuberger, deputy national security adviser for cyber and emerging technology, saying in a statement Sunday that President Biden had “directed the full resources” of the government to investigate the attack. On Sunday, the White House said it was reaching out to victims of the outbreak “to provide assistance based upon an assessment of national risk.” With President Biden having only recently met with Russian leader Vladimir Putin and this topic being front and center in their talks, I can only imagine we have not heard the last of the fallout.
As security compliance and protecting yourself from cyberattacks become more onerous, I envisage more SMBs moving to as-a-service models. With this being the case, the focus will shift to the top of the pyramid, as we have seen with this Kaseya and the recent SolarWinds attacks. Securing CI/CD pipelines and software distribution methods will need to become a focus area for software companies and MSPs alike if this form of attack vector is to be brought under control.
I completely agree with Kenneth White, founder of the Open Crypto Audit Project when he says “For smaller or insufficiently resourced organizations it sometimes makes sense to offload the heavy lifting to the experts, but that trust brings with it an obligation to have the most stringent defenses and detection possible by the service provider, because they control the crown jewels, literally the keys to the kingdom. It’s breathtaking, really.” It’s breathtaking, easily overwhelming, and, unfortunately, certain to continue.
Disclosure: Futurum Research is a research and advisory firm that engages or has engaged in research, analysis, and advisory services with many technology companies, including those mentioned in this article. The author does not hold any equity positions with any company mentioned in this article.