On 2 July, the threat actors behind REvil, also known as Sodinokibi, launched a massive ransomware attack targeting users of Kaseya\u2019s remote monitoring and management service, VSA. In this supply chain attack, the actors exploited a zero-day vulnerability in Kaseya\u2019s software to deploy ransomware on nearly 1500 company networks.1<\/sup> Kaseya stated that the attack compromised only customers of the on-premises version of VSA and that there is no evidence that it compromised SaaS customers.<\/p>\n After the attack, the actors stated the following on their blog: \u201cOn Friday (02.07.2021) we launched an attack on MSP providers. More than a million systems were infected. If anyone wants to negotiate about universal decryptor \u2013 our price is 70,000,000$ in BTC and we will publish publicly decryptor that decrypts files of all victims, so everyone will be able to recover from attack in less than an hour.\u201d2<\/sup><\/p>\n In June 2019, we published a report3<\/sup> on Sodinokibi\/REvil. At the time, it was a relatively new ransomware-as-a-service (RaaS), and it appeared to be one of the ransomware families filling a void left by the discontinuation of the popular ransomware Gandcrab. REvil was first identified in the wild on 17 April 2019, when threat actors exploited a vulnerability in Oracle WebLogic to install Sodinokibi on susceptible web servers.2<\/sup> Like Gandcrab, REvil uses an affiliate revenue system where threat actors sign up as affiliates, start using the ransomware for no initial fee, and share a percentage of their profits.<\/p>\n As we noted in 2019, the fact that REvil is freely available means its distribution methods vary from one\u00a0 threat actor to another. Even in 2019, REvil affiliates had distributed the ransomware by compromising MSPs, distributing malicious spam emails, and hacking websites that host downloadable executables to replace the legitimate software with copies of REvil.4<\/sup><\/p>\n Sophos reported that the actors delivered the ransomware to VSA servers via a malicious update, and the update employed a zero-day exploit of the server platform to deploy the ransomware to the managed Windows machines. According to Sophos, this approach gave the threat actors the advantages of 1) compromising the downstream companies by abusing the trusted VSA service, and 2) avoiding being stopped by antivirus software (AV), because VSA requires that several folders as well as the Kaseya executables be excluded from AV monitoring.<\/p>\n Upon receiving the malicious update, the VSA agent wrote an encoded malicious payload into its working directory, C:\\KWORKING\\. The agent then ran several Windows shell commands, which repeatedly pinged localhost, acted as a sleep function, and delayed the upcoming commands for approximately 90 minutes.<\/p>\n The agent then ran a PowerShell command that disabled Microsoft Defender\u2019s anti-malware and anti-ransomware protections. At this point, the agent made a copy of certutil.exe, the Windows certificate utility that can download and decode content, and used the executable to decode the previously downloaded payload.<\/p>\n Sophos reported that the payload had a valid certificate but that it \u201cmay be stolen or fraudulently obtained\u201d and that the payload was compiled a day before the attack, on 1 July. After the agent decoded the payload, the final shell command launched the malicious payload and the ransomware began to deploy. The report noted that due to mass deployment, the attack made no effort to exfiltrate any data.<\/p>\n Kaseya recommends taking all on-premises VSA servers offline until further notice. Also, Kaseya has stated that they are actively working on a patch and hope to deploy it by 7 July. Finally, Kaseya has released a compromise detection tool that will help determine whether any IoCs are present on a system.5<\/sup><\/p>\n Infoblox recommends backing up data and systems regularly to minimize the potential impact of ransomware in general, as well as practicing restoring from backups. Ideally, backups should be stored off the network.<\/p>\n Also, beware of scams looking to take advantage of this attack. Malwarebytes has already reported on a malspam phishing campaign that allegedly delivers a patch for the vulnerability exploited by the REvil threat actors.6<\/sup> In reality, the email attachment drops CobaltStrike, a legitimate penetration-testing tool that threat actors abuse to deploy a program named Beacon. Beacon enables them to perform advanced post-exploitation functions, such as command execution, key logging, file transfer, privilege escalation, port scanning, and lateral movement.<\/p>\n\u00a0\u00a0\u00a0\u00a0\u00a0 2. REvil\/Sodinokibi Background<\/h3>\n
\u00a0\u00a0\u00a0\u00a0\u00a0 3. Kaseya Attack Analysis<\/h3>\n
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 3.1. Malicious Software Update<\/h4>\n
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 3.2. Ransomware Deployment<\/h4>\n
\u00a0\u00a0\u00a0\u00a0\u00a0 4. Prevention and Mitigation<\/h3>\n
\u00a0\u00a0\u00a0\u00a0\u00a0 5. Indicators of Compromise<\/h3>\n