Up to 1,500 companies infected with one of the worst ransomware attacks ever

As many as 1,500 companies around the world have been infected with highly destructive malware that first hit software maker Kaseya. In one of the worst ransom attacks ever, the malware, in turn, used this access to bring down Kaseya’s customers.

The attack struck Friday afternoon in the run-up to the three-day Independence Day weekend in the United States. Hackers affiliated with REvil, one of the fiercest ransomware gangs, exploited a zero-day vulnerability in the Kaseya VSA remote management service, which the company says is used by 35,000 customers. REvil’s subsidiaries then used their control of Kaseya’s infrastructure to deliver a malware update to customers, who are primarily small and medium-sized businesses.

Continuous escalation

In a statement released on Monday, Kaseya said about 50 of its customers were compromised. From there, according to the company, 800 to 1,500 businesses run by Kaseya customers were infected. REvil’s dark web site claimed more than a million targets were infected in the attack and the group demanded $ 70 million for a universal decryptor.

The REvil site had been updated to remove an image allegedly showing hard drives with 500 GB of data locked. Ransomware groups often remove information from their sites after ransom negotiations have started, as a sign of good faith. This is what the image looked like before:

Cyber ​​Reason

“This is not a good sign that a ransomware gang has a day zero in a product widely used by managed service providers, and shows the continued escalation of ransomware gangs, which I have written about before.” , security expert and independent researcher Kevin Beaumont wrote.

The mass attack had cascading effects around the world. Swedish supermarket chain Coop was still trying to recover on Tuesday after closing about half of its 800 stores because point-of-sale and self-service checkouts stopped working. New Zealand schools and kindergartens have also been affected, as have some public administration offices in Romania. German cybersecurity watchdog BSI said on Tuesday it was aware of three IT service providers in Germany that were affected. The map below shows where the security company Kaspersky detects infections.


REvil has earned a reputation as a ruthless and sophisticated group, even in the notoriously brazen ransomware circles. Its most recent big game victim was meat packaging giant JBS, which in June shut down much of its international operations after ransomware crippled its automated processes. JBS ultimately paid REvil affiliates $ 11 million.

Previous victims of REvil include Taiwanese electronics multinational Acer in March as well as an attempt in April to extort Apple following an attack on one of its business partners. REvil is also the group that hacked Grubman Shire Meiselas & Sacks, the celebrity law firm that represented Lady Gaga, Madonna, U2 and other prominent artists. When REvil asked for $ 21 million in exchange for not publishing the data, the law firm allegedly offered $ 365,000. REvil responded by increasing its request to $ 42 million and later releasing a 2.4 GB archive containing legal documents from Lady Gaga.

Other victims of REvil include Kenneth Copeland, SoftwareOne, Quest, and Travelex.

Surgical precision

This weekend’s attack was carried out with near-surgical precision. According to Cybereason, REvil affiliates first gained access to the targeted environments and then used zero-day in Kaseya Agent Monitor to gain administrative control over the target’s network. After writing a base 64 encoded payload to a file named agent.crt, the dropper executed it.

Here is the sequence of the attack:

Cyber ​​Reason

The dropper Agent.exe ransomware is signed with a trusted Windows certificate that uses the holder name “PB03 TRANSPORT LTD”. By digitally signing their malware, attackers are able to suppress many security warnings that would otherwise appear during its installation. Cybereason said the certificate appears to have been used exclusively by the REvil malware that was deployed during this attack.

To add stealth, the attackers used a technique called DLL Side-Loading, which places a spoofed malicious DLL file in a Windows WinSxS directory so that the operating system loads the spoof instead of the legitimate file. In this case, Agent.exe removes an outdated version which is vulnerable to DLL sideloading of “msmpeng.exe”, which is the Windows Defender executable file.

Once executed, the malware modifies firewall settings to allow discovery of local Windows systems. Then it starts to encrypt the files on the system and displays the following ransom note:

Cyber ​​Reason

Kaseya said all attacks discovered to date have targeted her on-site product.

“All on-premises VSA servers should continue to remain offline until Kaseya tells you when it is safe to restore operations,” the company said in a notice. “A patch will need to be installed before restarting the VSA and a set of recommendations on how to increase your security level.”

The company said it found evidence that one of its cloud clients had been compromised.

REvil affiliates exploited a zeroday vulnerability that Kaseya was days away from correcting when the attack hit. CVE-2021-30116, as the vulnerability was tracked, was discovered by researchers at the Netherlands Institute for Vulnerability Disclosure, who claim that its researchers privately reported the security breach and were monitoring the Kaseya’s progress in fixing this one.

Kaseya “has shown a real commitment to doing the right thing,” wrote representatives from the institute. “Unfortunately, we were beaten by REvil in the final sprint because they could exploit vulnerabilities before customers could even fix it.”

The event is the latest example of a supply chain attack, in which hackers infect the supplier of a widely used product or service with the aim of compromising downstream customers who use it. In this case, the hackers infected Kaseya’s customers and then used this access to infect the businesses that received Kaseya’s service.

The SolarWinds compromise discovered in December was another supply chain attack. He used SolarWinds’ pirated software build infrastructure to distribute a malware update to 18,000 organizations that were using the company’s network management tool. About nine federal agencies and 100 private organizations have received follow-up infections.

Anyone who suspects that their network has been affected in any way by this attack should investigate immediately. Kaseya has released a tool that VSA customers can use to detect infections in their networks. The FBI and the Cybersecurity and Infrastructure Security Agency have jointly issued recommendations for Kaseya customers, especially if they have been compromised.

Comments are closed.