Kaseya VSA ransomware attack

Last updated

On 2 July 2021, a number of managed service providers (MSPs) and their customers became victims of a ransomware attack perpetrated by the REvil group, [1] causing widespread downtime for over 1,000 companies. [2] [3] The attack was carried out by exploiting a vulnerability in VSA (Virtual System Administrator), a remote monitoring and management software package developed by Kaseya. [4]

Timeline and impact

On March 23, DIVD researcher Wietse Boonstra found six zero-day vulnerabilities in Kaseya VSA (Virtual Systems Administrator). [5] The DIVD warned Kaseya and worked together with company experts to solve four of the seven reported vulnerabilities. Despite the efforts, Kaseya could not patch all the bugs in time. [6]

The DIVD wrote an KASEYA VSA, behind the scenes blog about finding the 0-days.

The source of the outbreak was identified within hours to be Kaseya's VSA software package. [1] An authentication bypass vulnerability in the software allowed attackers to compromise VSA and distribute a malicious payload through hosts managed by the software, [7] amplifying the reach of the attack. [8] In response, the company shut down its VSA cloud and SaaS servers and issued a security advisory to any customers, including those with on-premises deployments of VSA. [9]

Initial reports of companies affected by the incident include Norwegian financial software developer Visma, who manages some systems for Swedish supermarket chain Coop. [10] The supermarket chain had to close down its 800 stores for almost a week, some in small villages without any other food shop. They did not pay ransom, but rebuilt their systems from scratch after waiting for an update from Kaseya. [11]

The REvil ransomware gang officially took credit for the attack and claimed to have encrypted more than one million systems during the incident. They initially asked for a $70 million ransom payment to release a universal decryptor to unlock all affected systems. [12] On July 5, Kaseya said that between 800 and 1,500 downstream businesses were impacted in the attack. [13]

Marcus Hutchins criticized the assessment that the impact of the Kaseya attack was larger than WannaCry, citing difficulties in measuring the exact impact. [14]

After a 9 July 2021 phone call between United States president Joe Biden and Russian president Vladimir Putin, Biden told the press, "I made it very clear to him that the United States expects when a ransomware operation is coming from his soil even though it’s not sponsored by the state, we expect them to act if we give them enough information to act on who that is." Biden later added that the United States would take the group's servers down if Putin did not. [15] [16]

On 13 July 2021, REvil websites and other infrastructure vanished from the internet. [17]

On 23 July 2021, Kaseya announced it had received a universal decryptor tool for the REvil-encrypted files from an unnamed "trusted third party" and was helping victims restore their files. [18]

On 8 November 2021, the United States Department of Justice unsealed indictments against Ukrainian national Yaroslav Vasinskyi and Russian national Yevgeniy Polyanin. Vasinskyi was charged with conducting ransomware attacks against multiple victims including Kaseya, and was arrested in Poland on 8 October. Polyanin was charged with conducting ransomware attacks against multiple victims including Texas businesses and government entities. The Department worked with the National Police of Ukraine for the charges, and also announced the seizure of $6.1 million tied to ransomware payments. If convicted on all charges, Vasinskyi faces a maximum penalty of 115 years in prison, and Polyanin 145 years in prison. [19]

Related Research Articles

Ransomware is a type of cryptovirological malware that permanently block access to the victim's personal data unless a ransom is paid. While some simple ransomware may lock the system without damaging any files, more advanced malware uses a technique called cryptoviral extortion. It encrypts the victim's files, making them inaccessible, and demands a ransom payment to decrypt them. In a properly implemented cryptoviral extortion attack, recovering the files without the decryption key is an intractable problem, and difficult-to-trace digital currencies such as paysafecard or Bitcoin and other cryptocurrencies are used for the ransoms, making tracing and prosecuting the perpetrators difficult.

Cryptovirology refers to the study of cryptography use in malware, such as ransomware and asymmetric backdoors. Traditionally, cryptography and its applications are defensive in nature, and provide privacy, authentication, and security to users. Cryptovirology employs a twist on cryptography, showing that it can also be used offensively. It can be used to mount extortion based attacks that cause loss of access to information, loss of confidentiality, and information leakage, tasks which cryptography typically prevents.

<span class="mw-page-title-main">Synnex</span> American information technology company

Synnex was an American multinational corporation that provides information technology (IT) services to businesses. It merged with competitor Tech Data to form TD Synnex. It was founded in 1980 by Robert T. Huang and based in Fremont, California. As an information technology supply chain services company, it offered services to original equipment manufacturers, software publishers and reseller customers.

<span class="mw-page-title-main">Bitdefender</span> Romanian cybersecurity technology company

Bitdefender is a Romanian cybersecurity technology company headquartered in Bucharest, Romania, with offices in the United States, Europe, Australia and the Middle East.

Bleeping Computer is a website covering technology news and offering free computer help via its forums that was created by Lawrence Abrams in 2004. It publishes news focusing heavily on cybersecurity, but also covers other topics including computer software, computer hardware, operating system and general technology.

The CryptoLocker ransomware attack was a cyberattack using the CryptoLocker ransomware that occurred from 5 September 2013 to late May 2014. The attack utilized a trojan that targeted computers running Microsoft Windows, and was believed to have first been posted to the Internet on 5 September 2013. It propagated via infected email attachments, and via an existing Gameover ZeuS botnet. When activated, the malware encrypted certain types of files stored on local and mounted network drives using RSA public-key cryptography, with the private key stored only on the malware's control servers. The malware then displayed a message which offered to decrypt the data if a payment was made by a stated deadline, and it threatened to delete the private key if the deadline passes. If the deadline was not met, the malware offered to decrypt data via an online service provided by the malware's operators, for a significantly higher price in bitcoin. There was no guarantee that payment would release the encrypted content.

<span class="mw-page-title-main">BadUSB</span> Cybersecurity attack using USB devices

BadUSB is a computer security attack using USB devices that are programmed with malicious software. For example, USB flash drives can contain a programmable Intel 8051 microcontroller, which can be reprogrammed, turning a USB flash drive into a malicious device. This attack works by programming the fake USB flash drive to emulate a keyboard, which once plugged into a computer, is automatically recognized and allowed to interact with the computer, and can then initiate a series of keystrokes which open a command window and issue commands to download malware.

Monero is a cryptocurrency which uses a blockchain with privacy-enhancing technologies to obfuscate transactions to achieve anonymity and fungibility. Observers cannot decipher addresses trading Monero, transaction amounts, address balances, or transaction histories.

<span class="mw-page-title-main">WannaCry ransomware attack</span> 2017 worldwide ransomware cyberattack

The WannaCry ransomware attack was a worldwide cyberattack in May 2017 by the WannaCry ransomware cryptoworm, which targeted computers running the Microsoft Windows operating system by encrypting data and demanding ransom payments in the Bitcoin cryptocurrency. It propagated by using EternalBlue, an exploit developed by the United States National Security Agency (NSA) for Windows systems. EternalBlue was stolen and leaked by a group called The Shadow Brokers a month prior to the attack. While Microsoft had released patches previously to close the exploit, much of WannaCry's spread was from organizations that had not applied these, or were using older Windows systems that were past their end-of-life. These patches were imperative to cyber security, but many organizations did not apply them, citing a need for 24/7 operation, the risk of formerly working applications breaking because of the changes, lack of personnel or time to install them, or other reasons.

EternalBlue is a computer exploit developed by the U.S. National Security Agency (NSA). It was based on a vulnerability in Microsoft networking software that the NSA had known about for several years but had not disclosed to Microsoft. When the NSA discovered in 2017 that the exploit was stolen, Microsoft was informed and released security patches in March 2017. The Shadow Brokers hacker group publicly released EternalBlue on April 14, 2017.

<span class="mw-page-title-main">Petya (malware family)</span> Family of encrypting ransomware discovered in 2016

Petya is a family of encrypting malware that was first discovered in 2016. The malware targets Microsoft Windows–based systems, infecting the master boot record to execute a payload that encrypts a hard drive's file system table and prevents Windows from booting. It subsequently demands that the user make a payment in Bitcoin in order to regain access to the system.

REvil was a Russia-based or Russian-speaking private ransomware-as-a-service (RaaS) operation. After an attack, REvil would threaten to publish the information on their page Happy Blog unless the ransom was received. In a high profile case, REvil attacked a supplier of the tech giant Apple and stole confidential schematics of their upcoming products. In January 2022, the Russian Federal Security Service said they had dismantled REvil and charged several of its members.

Emsisoft Ltd. is a New Zealand-based anti-virus software distributed company. They are notable for decrypting ransomware attacks to restore data.

A global wave of cyberattacks and data breaches began in January 2021 after four zero-day exploits were discovered in on-premises Microsoft Exchange Servers, giving attackers full access to user emails and passwords on affected servers, administrator privileges on the server, and access to connected devices on the same network. Attackers typically install a backdoor that allows the attacker full access to impacted servers even if the server is later updated to no longer be vulnerable to the original exploits. As of 9 March 2021, it was estimated that 250,000 servers fell victim to the attacks, including servers belonging to around 30,000 organizations in the United States, 7,000 servers in the United Kingdom, as well as the European Banking Authority, the Norwegian Parliament, and Chile's Commission for the Financial Market (CMF).

FIN7, also called Carbon Spider, ELBRUS, or Sangria Tempest, is a Russian criminal advanced persistent threat group that has primarily targeted the U.S. retail, restaurant, and hospitality sectors since mid-2015. A portion of FIN7 is run out of the front company Combi Security. It has been called one of the most successful criminal hacking groups in the world. FIN7 is also associated with GOLD NIAGARA, ITG14, ALPHV and BlackCat.

DarkSide is a cybercriminal hacking group, believed to be based in Russia, that targets victims using ransomware and extortion; it is believed to be behind the Colonial Pipeline cyberattack. It is thought that they have been able to hack and extort money from around 90 companies in the USA alone. The group provides ransomware as a service.

On May 30, 2021, JBS S.A., a Brazil-based meat processing company, suffered a cyberattack, disabling its beef and pork slaughterhouses. The attack impacted facilities in the United States, Canada, and Australia.

<span class="mw-page-title-main">Kaseya</span> American software company based in Miami, Florida

Kaseya Limited is a company headquartered in Miami that develops software for network monitoring, system monitoring, and other information technology applications. It is majority-owned by Insight Partners and owns the naming rights to the Kaseya Center. The name of the company means "protect and defend" in the Sioux language. The company was estimated to be valued at $12 billion in April 2023.

Ransomware as a service (RaaS) is a cybercrime business model where ransomware operators write software and affiliates pay to launch attacks using said software. Affiliates do not need to have technical skills of their own but rely on the technical skills of the operators.

<span class="mw-page-title-main">Lockbit</span> Criminal hacking organization

LockBit is a cybercriminal group proposing ransomware as a service (RaaS). Software developed by the group enables malicious actors who are willing to pay for using it to carry out attacks in two tactics where they not only encrypt the victim's data and demand payment of a ransom, but also threaten to leak it publicly if their demands are not met.

References

  1. 1 2 "Une cyberattaque contre une société américaine menace une multitude d'entreprises". Le Monde (in French). 3 July 2021. Archived from the original on 11 November 2021.
  2. Lily Hay Newman (2021-07-04). "How REvil Ransomware Took Out Thousands of Business at Once". Wired . Archived from the original on 2021-11-10. Retrieved 2021-11-12.
  3. McMillan, Robert (2021-07-04). "Ransomware Attack Affecting Likely Thousands of Targets Drags On". Wall Street Journal . ISSN   0099-9660. Archived from the original on 2021-09-28. Retrieved 2021-07-07.
  4. Osborne, Charlie (2021-07-23). "The Kaseya ransomware attack: Everything we know so far". ZDNet . Archived from the original on 2021-08-16. Retrieved 2021-11-12.
  5. Boonstra, Wietse. "Report DIVD-2021-00002 - KASEYA VSA". DIVD.
  6. "The Unfixed Flaw at the Heart of REvil's Ransomware Spree". Wired . July 8, 2021. Retrieved April 7, 2022.
  7. Hammond, John. "Rapid Response: Mass MSP Ransomware Incident". Huntress. Archived from the original on 2021-10-26. Retrieved 2021-07-24.
  8. Gerrit De Vynck; Aaron Gregg; Rachel Lerman (July 6, 2021). "Ransomware attack struck between 800 and 1,500 businesses, says company at center of hack—Kaseya's software touches hundreds of thousands of firms, but company says vast majority were unaffected". The Washington Post . Retrieved July 6, 2021.
  9. Giles, Martin (3 July 2021). "A New Wave Of Ransomware Has Been Sparked By A Cyberattack On Tech Provider Kaseya". Forbes . Archived from the original on 23 September 2021.
  10. Tidy, Joe (3 July 2021). "Swedish Coop supermarkets shut due to US ransomware cyber-attack". BBC News . Archived from the original on 5 October 2021.
  11. Greig, Jonathan (July 26, 2021). "Kaseya denies paying ransom for decryptor, refuses comment on NDA". ZDNet . Archived from the original on October 3, 2021. Retrieved November 12, 2021.
  12. Tung, Liam (5 July 2021). "Kaseya ransomware attack: US launches investigation as gang demands giant $70 million payment". ZDNet . Archived from the original on 9 October 2021.
  13. Satter, Raphael (5 July 2021). "Up to 1,500 businesses affected by ransomware attack, U.S. firm's CEO says". Reuters . Archived from the original on 11 November 2021.
  14. Hutchins, Marcus. "Twitter". Twitter. Retrieved 2021-07-13. The reason some people think REvil was bigger than WannaCry is because WannaCry was so big that nobody was ever able to quantify it. The best metrics we have is unique IP addresses, but companies have 10s, 100s, or 1000s of machines behind a single IP due to NAT.
  15. "Biden tells Putin Russia must crack down on cybercriminals". AP NEWS. July 9, 2021.
  16. Sanger, David E. (July 13, 2021). "Russia's most aggressive ransomware group disappeared. It's unclear who disabled them". The New York Times.
  17. Business, Brian Fung, Zachary Cohen and Geneva Sands, CNN (July 13, 2021). "Ransomware gang that hit meat supplier mysteriously vanishes from the internet". CNN.{{cite web}}: |last= has generic name (help)CS1 maint: multiple names: authors list (link)
  18. "Ransomware key to unlock customer data from REvil attack". BBC News . BBC. July 23, 2021. Retrieved July 23, 2021.
  19. "Ukrainian Arrested and Charged with Ransomware Attack on Kaseya". United States Department of Justice . November 8, 2021. Archived from the original on November 11, 2021. Retrieved November 12, 2021.