Jul 05, 2021 12:09:00

Large-scale ransomware attack targeting IT management service 'Kaseya' indirectly impacts many companies

REvil, a cyber attack group known for its ransomware attacks on

Acer andthe major meat processing company JBS , launched a supply chain attack targeting the IT management service Kaseya. It appears that the chain of damage was halted thanks to Kaseya's cooperation with security companies, but the impact of the SaaS server outage has extended to many companies.

Kaseya VSA Supply-Chain Ransomware Attack | CISA
https://us-cert.cisa.gov/ncas/current-activity/2021/07/02/kaseya-vsa-supply-chain-ransomware-attack

REvil ransomware hits 1,000+ companies in MSP supply-chain attack
https://www.bleepingcomputer.com/news/security/revil-ransomware-hits-1-000-plus-companies-in-msp-supply-chain-attack/

REvil is increasing ransoms for Kaseya ransomware attack victims
https://www.bleepingcomputer.com/news/security/revil-is-increasing-ransoms-for-kaseya-ransomware-attack-victims/

REvil launched the attack at noon on Friday, July 2nd local time. It is believed that the attack was aimed at a time when people in the United States tend to work shorter hours before holidays, which would slow down their response.

The attack exploited a zero-day vulnerability in the on-premise version of Kaseya's IT environment management service 'VSA.' While some have pointed out that it was not

a zero-day because a patch had not yet been provided, experts have confirmed that it was a zero-day attack, saying that the vulnerability had already been disclosed.

Technically it was a zero-day. We were in a coordinated vulnerability disclosure process with the vendor while this happened. The CVEs were ready to be published; the patches were made and prepared for distribution, and we mapped all online instances to help speed up the process.

— Victor Gevers (@0xDUDE) July 3, 2021

REvil demanded $5 million in ransom for encryption from MSPs . Initially, it demanded $44,499 from MSP customers, but depending on the victim company, it demanded $40,000 to $45,000 per extension. If the victim replied that there were 12 or more applicable extensions, it demanded $500,000 in total.

However, in this case, REvil only encrypted the network and did not steal any files.

Kaseya's help desk has advised all VSA users to shut down their VSA servers, and according to security research firm DIVD, the number of public VSA servers has dropped from more than 2,200 to fewer than 140.

Kaseya Case Update 2 | DIVD CSIRT
https://csirt.divd.nl/2021/07/04/Kaseya-Case-Update-2/