REvil demands $70 million ransom after Kaseya supply chain attack

The cyber gang claims it’s infected “more than a million systems” after exploiting a zero-day flaw in VSA

REvil has infected more than 40 customers of IT management software firm Kaseya in a SolarWinds-style supply chain attack in which ransomware was distributed  through a malicious update.

Kaseya revealed this weekend that its cloud-based IT management and remote monitoring product VSA had been compromised, but that the attack affected a small number of its on-premises customers only. The number of victims is estimated to be roughly 40, according to the firm.

The cyber gang exploited a zero-day vulnerability to remotely access internet-facing VSA servers. Given this software is used by many Managed Service Providers (MSPs), this route of entry also gave them a route into these MSP’s customers. Kaseya was targeted because a key functionality of VSA is to push software and automated IT tasks on request, without checks. 

The hackers responsible are now issuing varying ransom demands to its victims. REvil is demanding $44,999 from victims if their endpoint has been hit, according to Sophos security researcher Mark Loman. The group, meanwhile, is demanding a sum of $70 million to publish the universal decryptor, while boasting that it’s infected a million devices.

Looking beyond the 40 victims that Kaseya suggests REvil has claimed, Huntress Labs claims that more than 1,000 businesses have had servers and workstations encrypted, including MSPs. 

The response to the attack has been stark, with businesses served by the VSA product cutting off their servers from access to the internet. According to Dutch security firm DIVD CSIRT, the number of reachable VSA instances dropped from the norm of 2,200 to less than 140 as of Sunday. 

The company confirmed that a DIVD researcher, Wietse Boonstra, had previously identified a zero-day flaw, tracked as CVE-2021-30116, which is now being used in the ransomware attack. This flaw was discovered as part of a wider research project in which the firm is examining flaws in tools for system administrators in products such as Vembu BDR, Pulse VPN and Fortinet VPN.

“After this crisis, there will be the question of who is to blame,” the company said in a blog post. “From our side, we would like to mention Kaseya has been very cooperative. Once Kaseya was aware of our reported vulnerabilities, we have been in constant contact and cooperation with them. 

Related Resource

The care and feeding of cloud

How to support cloud infrastructure post-migration

How to support cloud infrastructure post-migration - webinar from Trend MicroWatch now

“When items in our report were unclear, they asked the right questions. Also, partial patches were shared with us to validate their effectiveness. During the entire process, Kaseya has shown that they were willing to put in the maximum effort and initiative into this case both to get this issue fixed and their customers patched. They showed a genuine commitment to do the right thing. Unfortunately, we were beaten by REvil in the final sprint, as they could exploit the vulnerabilities before customers could even patch.”

Kaseya executives are meeting again today to discuss bringing its data centres online, with a scheduled restoration date and time of 5 July “by the end of the day” local time (UTC). That timeframe is dependent on achieving some key objectives, however.

Once the software as a service (SaaS) data centres have been restored, Kaseya will publish the schedule for distributing its patch for on-premise customers

Featured Resources

2021 Thales access management index: Global edition

The challenges of trusted access in a cloud-first world

Free download

Transforming higher education for the digital era

The future is yours

Free download

Building a cloud-native, hybrid-multi cloud infrastructure

Get ready for hybrid-multi cloud databases, AI, and machine learning workloads

Free download

The next biggest shopping destination is the cloud

Know why retail businesses must move to the cloud

Free Download

Recommended

Best ransomware removal tools
ransomware

Best ransomware removal tools

14 Oct 2021
Senator to introduce new bill to force ransomware payment disclosures
ransomware

Senator to introduce new bill to force ransomware payment disclosures

6 Oct 2021
Two-thirds of organizations have fallen victim to ransomware
ransomware

Two-thirds of organizations have fallen victim to ransomware

29 Sep 2021
Malware developers create malformed code signatures to avoid detection
malware

Malware developers create malformed code signatures to avoid detection

24 Sep 2021

Most Popular

Best Linux distros 2021
operating systems

Best Linux distros 2021

11 Oct 2021
Apple MacBook Pro 15in vs Dell XPS 15: Clash of the titans
Laptops

Apple MacBook Pro 15in vs Dell XPS 15: Clash of the titans

11 Oct 2021
Supply chain breaches impacted 97% of firms in the past year
supply chain management (SCM)

Supply chain breaches impacted 97% of firms in the past year

12 Oct 2021