The REvil gang has successfully exploited a flaw in the Kaseya VSA software to distribute its ransomware to hundreds of thousands of systems. On arrival: a disaster of unprecedented magnitude.
Cyber attacks are always triggered at the most unpleasant times. As many Americans prepared for a weekend away to celebrate the Fourth of July National Day, the REvil gang decided to take action.
The Kaseya case is one of the biggest ransomware attacks of all time, the biggest since 2017. Hackers have taken advantage of an unprecedented cascading operation: from one victim, they have made thousands. First discussed on a Reddit forum, the incident was brought to light by The Record Media.
Now, the Kaseya company is working to correct the flaw used by hackers. But addressing the vulnerability will not change the plight of the thousands of businesses affected by the ransomware. They have no other choice but to decide on the measures to be adopted. ” Due to the potential scale of the incident, the FBI and CISA may not be able to respond to each victim individually. », Conceded the American authorities.
What happened ?
” We recommend that you IMMEDIATELY shut down all of your VSA servers until we tell you otherwise. “. On July 2, Kaseya sent this urgent message to all of her customers – more than 36,000, according to her – as reported by The Record Media.
The VSA software in question, published by Kaseya, makes it possible to manage fleets of computer machines remotely. For this reason, it has a high level of privilege on the networks it monitors, that is, it has great power of modification on all computers.
This property makes software an ideal gateway to thousands of machines. Exactly, the operators of the REvil gang have succeeded in entering remotely on the VSA servers thanks to the exploitation of a “0-day” flaw [qui n’a pas de correctif, ndlr]. Then they used the access to infect hundreds of thousands of machines with their ransomware.
When ransomware is deployed on a system, it encrypts all files, making them unusable. Professional messaging stops working, documents are no longer readable and some machines are out of service. To restore their service as quickly as possible, victims have two options: either pay the ransom demanded by the criminals in the hope of recovering a tool to decrypt their systems, or they restore them from backups. The authorities unanimously advise the second, but many victims allow themselves to be tempted by the payment of the ransom.
How did the hackers operate?
During the first hours of the attack, several researchers wondered if it was a ” supply chain attack », In line with this suffered by SolarWinds last year. In this kind of attack, hackers penetrate deep into the victim’s infrastructure in order to corrupt their software directly on the production servers. If the victim is not aware of the subterfuge, they will stamp and distribute an infected version of their software to their clients themselves. This theory also relied on the fact that Kaseya had apparently taken its own infrastructure offline to stop the spread of infected updates.
With 3 days of hindsight, several specialists such as Costin raiu from Kaspersky or Condition Black agree in dismissing the theory of supply chain attack. Meanwhile, DIVD, a Dutch organization specializing in vulnerability discovery, has claimed that it has been working with Kaseya for several weeks on resolving a “0-day” flaw, the one employed by REvil. The publisher was developing his fix at the time of the attack. Worse, they were at the last stage of validation before its deployment. They must now complete the patch in a context of crisis.
For now, technical reports on the flaw have not yet been released. But according to the company Huntress Labs, it would bypass the authentication steps of the Kaseya VSA web interface, then issue commands to deploy the ransomware. The malware is then hidden under the guise of a “hotfix”, that is to say a small patch of the VSA, which overrides the antivirus protections. It is also this disguise that fed the theory of a supply chain attack.
Who is the victim of the attack?
Kaseya is both the first victim of the attack and the gateway to others, as her VSA software has served as a weapon for cybercriminals. Among the more than 36,000 customers claimed by the company are a few large groups, but especially ” managed service providers “(A term translated from English” managed services provider “or MSP). These companies are “outsourcing”, that is to say, they take care of the IT equipment of other companies that do not have the necessary skills internally.
Cybercriminals have therefore used Kaseya’s software flaw to reach MSPs, and MSPs themselves provide a gateway to thousands of small businesses … who probably don’t even know Kaseya exists. On day one alone, Huntress Labs had 8 MSPs among the victims, for a total of 200 companies affected by the ransomware. It has since adjusted its balance sheet to 20 MSPs and more than 1,000 affected businesses. These first figures are only partial estimates.
“Over a million” systems affected
For their part, cybercriminals claim “More than a million” systems affected. Kaseya insists that ” only a small percentage “Of its customers has been affected, a number currently estimated at” less than 40 “. It may well qualify the scale of the incident, it must be borne in mind that behind each client of the company hides hundreds of victims. According to the DVID, 140 VSA servers are still exposed to the internet (and therefore to attack), out of the 2,200 that it had detected before July 2. The emergency measures deployed by Kaseya at least somewhat limited the extent of the damage.
In this gigantic batch of victims, the Swedish supermarket chain Coop is one of the first to have broken the silence. On July 3, it had to close almost all of its 800 stores because cash registers were down due to ransomware. Coop is therefore only one example among thousands.
Who launched the attack?
At the origin of the attack is the REvil gang, also known as Sodinokibi. This group is regularly talked about and has established itself as one of the figures in the cybercriminal world. Before creating REvil, its operators had founded an already successful first group, Gandcrab. Why this detail? Because Gandcrab had succeeded in exploiting in quick succession two vulnerabilities of Kaseya to deploy his ransomware, respectively in February and June 2019. This is the third time that the two organizations have met, but this time the scale of the attack is of a completely different order.
Last month, REvil had already struck a big blow with the paralysis of the food giant JBS. In the tradition of the Colonial Pipeline affair, this story had been traced back to the White House, determined to take a much more aggressive position vis-à-vis cybercriminal gangs.
If Darkside was dismantled a few days after its coup against Colonial Pipeline, REvil did not follow its doom despite public threats made by the American authorities. Better still, he allows himself to launch a cyber attack on an even greater scale.
And now ?
Usually, a gang infects a business and then negotiates a ransom payment with it. Except this time, REvil hit thousands of networks with its attack, an unprecedented situation. To deal with this, the group offers – from its blog – various payment methods to its victims:
- One-time payment to unlock all systems. Announced at 70 million dollars by cybercriminals on July 4 – which would make it the biggest ransom in history – the price dropped to $ 50 million after a few hours. The proposal seems to be aimed more at Kaseya, but anyone can decide to pay. The gang pledges to make the decryption tool public and claims that ” everyone will be able to recover from the attack in less than an hour “.
- A payment by MSP, up to 5 millions of dollars. Each supplier victim of the attack could decide to make a separate payment in the hope of getting back to business as quickly as possible. He would recover a specific decryptor for the extensions that affect the machines he is responsible for.
- One payment per victim to $ 44,999. This last proposal is subject to debate: some think that it covers the recovery of only one machine, others, that it allows to restore a small whole network.
These REvil proposals raise several questions about the management capacities of REvil operators, who are limited in staff. Can they handle hundreds of negotiations simultaneously? Can they guarantee that the one-time payment will give access to a valid decryption tool for all extensions?
In the days to come, the various surveys could answer these questions, as well as another, even more important: how did REvil get the flaw?