Summary

On Friday (2021-07-02), the REvil ransomware group compromised MSP providers via Kaseya VSA servers. It used this access to infect customers of these MSPs with ransomware in a large-scale supply-chain attack.

Background

Kaseya VSA is a “Unified Remote Monitoring & Management” software.1 MSPs use this software to administer customer computer systems and networks.

REvil ransomware (also known as Sodinokibi) is a ransomware-as-a-service operation active since 2019. The ransomware shares code with the now-defunct GandCrab ransomware and is thus believed to be a spin-off from the GrandCrab ransomware. The REvil ransomware features checks to prevent encrypting systems located in Commonwealth of Independent States (CIS) countries. This is a common theme with malware, as some CIS states do not persecute crimes outside their jurisdiction, shielding criminals from repercussions as long as their malware does not infect their own country.

What happened?

On Friday (2021-07-02), the REvil ransomware launched an attack on MSP providers. To this end, they exploited an SQL injection vulnerability in on-premise VSA servers.2 They then used this access to deploy their ransomware to the customers of the infected MSPs in a supply-chain attack.

How significant is the incident?

On 2021-07-05, the REvil ransomware group claimed that “[m]ore than a million systems were infected” via their leak-site.

REvil ransomware leak-site

One incident response provider says they “are tracking ~30 MSPs across the US, AUS, EU, and LATAM where Kaseya VSA was used to encrypt well over 1,000 businesses”.2 The total number of victims is currently unknown, but the figure of 1M infected systems claimed by REvil is very plausible.

How high is the ransom demand?

We know that the initial ransom demand for one victim was US$ 5,000,000. Later the REvil ransomware group offered a “universal decryptor” for all victims for a combined total of US$ 70,000,000 in BTC.

In case current assessments are correct, and REvil encrypted 1,000 businesses, why would the total ransom demand be so much lower than multiplying 1,000 by US$ 5,000,000? This is likely because the REvil ransomware group wants the money without the effort of negotiating and supporting the decryption process for 1,000 individual parties. Another reason behind this offer could be settling this attack quickly to prevent larger coordinated law enforcement action against the REvil ransomware group.

Conclusion and Countermeasures

If you are a user of Kaseya VSA, follow the guidance published by Kaseya3 and immediately shut down the on-premise VSA servers and keep them down until further notice by Kaseya. However, these actions will likely already be too late.

If you are a customer of an MSP, inquire about their usage of Kaseya VSA and compromise status. However, if they are victims of this supply-chain attack, you should already notice the adverse effects of the ransomware infection in your environment.

Hornetsecurity does not use products from Kaseya. Consequently, Hornetsecurity is not affected by the MSP supply-chain attack.

Sophisticated attacks are on the rise. It is more important than ever to implement services that ensure business continuity. Hornetsecurity’s Email Continuity Service provides a valuable solution that keeps your emails secure in the cloud when your email servers are no longer reachable because of ransomware. In addition, Hornetsecurity’ Email Archiving is an excellent and easy-to-use email archiving service that helps you recover emails in case of a Ransomware infection.

References