REvil Supply Chain Ransomware Attack Against Kaseya VSA and Multiple Managed Service Providers
On Friday 2 July 2021, Kaseya reported that its VSA Remote Monitoring and Management Software has been compromised to distribute REvil ransomware to multiple managed services providers running the software, potentially infecting unspecified numbers of their 40,000 installed customer base.
The malware appears to have been delivered through an automatic update of the Kaseya VSA client management and monitoring software. According to Kaseya, it affects only Kaseya VSA software running on on-premise servers while SaaS versions remain unaffected. Kaseya has issued a security advisory warning its customers to immediately shut down their on-premise VSA servers to prevent the attack from spreading.
Managed Malware Delivery
The researchers’ current breakdown of the attack has shown that the outbreak was delivered via a malicious update payload sent to VSA servers, and in turn, to the VSA agent applications running on managed Windows devices.
This was achieved using a zero-day exploit of the server platform for which Kaseya was rushing out a patch. This vulnerability gave REvil cover in several ways: It allowed initial compromise through a trusted channel, and leveraged trust in the VSA agent code—reflected in anti-malware software exclusions that Kaseya requires for setting up its application and agent “working” folders. Anything executed by the Kaseya Agent Monitor was therefore ignored because of those exclusions—which allowed REvil to deploy its dropper without scrutiny.
More details on the anatomy of attack can be found at:
REvil recruits affiliates to distribute the ransomware for them and are thought to be based in Russia due to the fact that the group does not target Russian organisations.
Ransomware code used by REvil resembles the code used by DarkSide, suggesting that DarkSide could be a partner of REvil. REvil and Darkside use similarly structured ransom notes and the same code to check that the victim is not located in a Commonwealth of Independent States (CIS) country.
Cybersecurity experts believe REvil is an offshoot from a previous notorious, but now-defunct hacker gang, GandCrab. This is suspected due to the fact that REvil first became active directly after GandCrab shutdown, and that the ransomware both share a significant amount of code.
Ensign has stepped up monitoring and checks to ensure the security of our clients. Ensign’s managed detection and response and AI-based cyber analytics can help clients detect and prevent the execution of ransomware. Our Managed Security Services are unaffected by the compromise of Kaseya VSA. Ensign will continue to provide updates on the incident and inform you of additional recommendations.
- Users of Kaseya VSA to immediately shut down your VSA server until further notice from Kaseya, meanwhile existing customers are encouraged to get the “Compromise Detection Tool” by sending an email email@example.com to begin recovery process if impacted
- Scan your endpoints/network for indicators of compromise (IOC)
- Enable tamper protection for Windows Defender because the ransomware attempts to disable Windows Defender - https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection?view=o365-worldwide
- Take reference from CISA recommendations to review your systems, and apply mitigating measures to reduce the risk of compromise by ransomware
- Implement security solutions to segregate and protect your environment (e.g. firewalls, proxies, web filtering, mail filtering, endpoint detection and response)
- Maintain a ransomware-resilient backup strategy with at least a copy offline
- Keep systems fully patched
Please contact us for further assistance if required, or for further advice on how to strengthen your security posture against similar incidents. Contact us at firstname.lastname@example.org for more information.