UPDATED: Kaseya hijacked, thousands attacked by REvil, fix delayed again

Malwarebytes does not use Kaseya products. Malwarebytes detects the REvil ransomware used in this attack as Sodinokibi.

Latest updates

Shutdown Kaseya VSA immediately

A severe ransomware attack reportedly taking place now against the popular Remote Monitoring and Management software tool Kaseya VSA has forced Kaseya into offering urgent advice: Shutdown VSA servers immediately.

“We are experiencing a potential attack against the VSA that has been limited to a small
number of on-premise customers only as of 2:00 PM EDT today,” Kaseya wrote on Friday afternoon.

“We are in the process of investigating the root cause of the incident with an abundance of caution but we recommend that you IMMEDIATELY shutdown your VSA server until you receive further notice from us.

It’s critical that you do this immediately, because one of the first things the attacker does is shutoff administrative access to the VSA.”

The attack is reportedly delivered through a Kaseya VSA auto-update that maliciously pushes the Revil ransomware onto victims’ machines. Kaseya is a popular software developed for Managed Service Providers that provide remote IT support and cybersecurity services for small- to medium-sized businesses that often cannot afford to hire full-time IT employees, due to their limited size or budgets.

Complicating the attack is the fact that, according to cybersecurity researcher Kevin Beaumont, the malicious update carries administrator rights for clients’ systems, “which means that Managed Service Providers who are infected then infect their client’s systems.”

For a company that says it has 40,000 customers, this could be a disaster.

During the attack, the cybercriminals reportedly shut off administrative access to VSA, and several protections within Microsoft Defender are disabled, including Real-Time Monitoring, Script Scanning, and Controlled Folder Access.

A screenshot from Malwarebytes reveals a ransom note delivered to an infected Windows machine. In the note, attackers warn:

"|---=== Welcome. Again. ===---

[-] Whats HapPen? [-]

Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension 7pc78r01. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you can't return your data (NEVER)."

Malwarebytes customers are currently protected from REvil, as shown in the screenshots below, and Malwarebytes is committed to continuing this protection. (Malwarebytes detects REvil as Sodinokibi)

We will update this post with more information as it becomes available, but the immediate guidance from Kaseya cannot be overstated: Shutdown VSA servers immediately.

Update July 3, 2021

Kaseya has released a new statement confirming they were the victim of a sophisticated cyberattack. At this time they are still urging customers to keep their on-premise VSA servers offline.

According to Bloomberg two of the affected managed service providers (MSPs) are Synnex Corp. and Avtex LLC. While Kaseya is a US-based company, some of of the MSPs’ customers are businesses in Europe. According to the BBC, Swedish supermarket chain Coop had to close more than 400 stores on Friday after the point-of-sale terminals and checkouts stopped working.

Victims of this attack would have downloaded a malicious update called ‘Kaseya VSA Agent HotFix’ which was in fact meant to disable Windows Defender and push the file encryptor payload.

Update July 4, 2021, 5:00 am, PT

More details of the vast scope of the attack have emerged. Huntress has been maintaining a comprehensive Reddit thread on the incident since Friday. In an accompanying blog post, the organization says it is tracking about 30 MSPs in four continents “where Kaseya VSA was used to encrypt well over 1,000 businesses”.

One of the affected organizations is St Peter’s School, Cambridge, New Zealand, which has confirmed that it is one of eleven schools in the country affected by this supply-chain attack.

Security company HuntressLabs has analyzed the original attack vector and believes a REvil/Sodinokibi affiliate exploited a zero-day for an authentication bypass in the Kaseya’s web interface.

Today, Victor Gevers of the Dutch Institute for Vulnerability Disclosure (DIVD) revealed on Twitter that it was in a “coordinated vulnerability disclosure process” with Kaseya at the time of the attack.

In other words, Kaseya was aware of a problem and it was actively working to fix it. According to Gevers, this explains why on-premise version of VSA was vulnerable and the SaaS version was not. It seems that, sensibly, the SaaS version of VSA receives patches before the on-premise version.

It seems the attack was remarkably well timed. Had that process moved a little more quickly, infosec folks would now be enjoying their weekends and we’d be writing about what might have been, rather about what Gevers describes as “the single largest ransomware spree in history”.

Given the way 2021 is unfolding, we can’t help wondering how long it will keep that title.

Update: July 4, 4:00 pm, PT

Malwarebytes’ telemetry shows a major increase in Ransom.Sodinokibi (REvil) detections and not just in the US. In fact, we have a number of hits in India, France, Chile, Taiwan, Australia, Colombia and Argentina.

Update: July 4, 8:50 pm, PT

The REvil gang has claimed the attack on MSPs and is asking for $70M in exchange for a universal decryptor. In a new post on their ‘Happy Blog’ hosted on the dark web, they say that more than a million systems were infected. They also mention that the universal decryptor would help recover from the attack in less than an hour. Both claims are highly controversial.

Update: July 5, 4:30 am, PT

Kaseya has created a Compromise Detection Tool that can be download from the company’s Box account. The tool will scan VSA servers or managed endpoints and determine whether any indicators of compromise (IoC) are present. However, Kaseya says its customers should keep VSA turned off for now:

All on-premises VSA Servers should continue to remain offline until further instructions from Kaseya about when it is safe to restore operations. A patch will be required to be installed prior to restarting the VSA and a set of recommendations on how to increase your security posture. 

Cado Security has created a GitHub repository of tools for DFIR professionals who are dealing with the fallout from the attack.

Update: July 5, 4:45 am, PT

DIVD reveals that Kaseya’s instruction to shutdown VSA servers, and the subsequent efforts of organizations like theirs has drastically reduced the number of Kaseya VSA instances that are reachable from the internet from “over 2,200 to less than 140” in 48 hours.

The organization also sheds a little more light on the root cause of the incident, saying “DIVD researcher, has previously identified a number of the zero-day vulnerabilities [CVE-2021-30116] which are currently being used in the ransomware attacks.” As we explained in an earlier update, DIVD was in the process of working with Kaseya to resolve the vulnerabilities when REvil struck. “Unfortunately, we were beaten by REvil in the final sprint.”

Ominously, it explains that this is part of a broader effort looking at the administration interfaces of tools used for system administration, saying: “we spotted a trend where more and more of the products that are used to keep networks safe and secure are showing structural weaknesses.”

Update: July 6, 2:45 am, PT

Reuters reports that the REvil affiliate behind the attack “has indicated a willingness to temper their demands in private conversations with a cybersecurity expert and with Reuters.” According to the news organization, the attackers told Jack Cable of the Krebs Stamos Group, that it was prepared to lower the asking price for a universal decryptor from $70 million to $50 million. A universal decryptor could be used to free all of the victims—all the customers of Kaseya’s customers—and save the attackers the bother of negotiating with each of up to 1,500 victims separately.

Ransomware gangs typically negotiate with one, or a small number of victims at a time. The REvil affiliate behind this attack may simply be unequipped to communicate with so many victims. They may also be wary of creating thousands of separate ‘paper trails’ on the Bitcoin blockchain, since cryptocurrency payments are where recent law enforcement efforts seem to have focussed. About a month ago, the DOJ recovered the majority of the ransom paid in the Colonial Pipeline attack. A week later, police in Ukraine arrested several individuals believed to be engaged in money laundering for the Cl0p ransomware group.

The question now, is whether Kaseya will pay. Reuters reports that in an interview with Kaseya CEO Fred Voccola, he responded to a question about whether the company would pay by saying “I can’t comment ‘yes,’ ‘no,’ or ‘maybe’ … No comment on anything to do with negotiating with terrorists in any way.”

Update: July 6, 3:15 am, PT

Malwarebytes Threat Intelligence has released an image showing the global scale of the event. Telemetry from Malwarebytes reveals detections for REvil on four continents following Friday’s attack.

REvil/Sodinokibi detections following the Kaseya attack

Update: July 6, 3:40 pm, PT

Malwarebytes Threat Intelligence has seen a malicious spam campaign trying to take advantage of the Kaseya VSA attack. The email asks recipients to “please install the update from Microsoft to protect against ransomware” and a carries an attachment called SecurityUpdates.exe.

Update: July 7, 8:30 am, PT

Kaseya has updated its incident page to explain that its planned update to the Kaseya VSA SaaS platform has still not taken place, due to an unspecified issue.

…during the deployment of the VSA update an issue was discovered that has blocked the release. We have not yet been able to resolve the issue

The SaaS platform’s continued unavailability is a mystery. Kaseya maintains that unlike the on-premises version of its VSA product, the SaaS platform was not vulnerable to the zero-day issue used to launch Friday’s attack. However, the SaaS platform was taken offline as a precaution and will remain so until it can be updated.

Indicators of Compromise (IoCs)

Loader

df2d6ef0450660aaae62c429610b964949812df2da1c57646fc29aa51c3f031e
dc6b0e8c1e9c113f0364e1c8370060dee3fcbe25b667ddeca7623a95cd21411f
d55f983c994caa160ec63a59f6b4250fe67fb3e8c43a388aec60a4a6978e9f1e
aae6e388e774180bc3eb96dad5d5bfefd63d0eb7124d68b6991701936801f1c7
66490c59cb9630b53fa3fa7125b5c9511afde38edab4459065938c1974229ca8
81d0c71f8b282076cd93fb6bb5bfd3932422d033109e2c92572fc49e4abc2471
1fe9b489c25bb23b04d9996e8107671edee69bd6f6def2fe7ece38a0fb35f98e

REvil/Sodinoki DLL

d8353cfc5e696d3ae402c7c70565c1e7f31e49bcf74a6e12e5ab044f306b4b20
d5ce6f36a06b0dc8ce8e7e2c9a53e66094c2adfc93cfac61dd09efe9ac45a75f
cc0cdc6a3d843e22c98170713abf1d6ae06e8b5e34ed06ac3159adafe85e3bd6
0496ca57e387b10dfdac809de8a4e039f68e8d66535d5d19ec76d39f7d0a4402
8e846ed965bbc0270a6f58c5818e039ef2fb78def4d2bf82348ca786ea0cea4f
8dd620d9aeb35960bb766458c8890ede987c33d239cf730f93fe49d90ae759dd

File paths

C:\kworking\agent.exe
C:\WINDOWS\MPSVC.DLL

Additional IOCs from configuration file (source)

Process list to kill

encsvc
powerpnt
ocssd
steam
isqlplussvc
outlook
sql
ocomm
agntsvc
mspub
onenote
winword
thebat
excel
mydesktopqos
ocautoupds
thunderbird
synctime
infopath
mydesktopservice
firefox
oracle
sqbcoreservice
dbeng50
tbirdconfig
msaccess
visio
dbsnmp
wordpad
xfssvccon

Services to stop and delete

veeam
memtas
sql
backup
vss
sophos
svc$
mepocs

COMMENTS