Large IT/MSP Platform Provider Hit with REvil Ransomware in Supply Chain Attack

Published: July 8, 2021, 11:54am

The cloud-based MSP platform provider Kaseya estimates that at least 800 to 1500 businesses have been impacted in the recent attack by the REvil ransomware gang.

The attack came to light on Friday, July 2, when the company noticed their virtual service administrator (VSA) platform was under assault. The company indicated that they had shut down their software as a service (SaaS) servers out of caution in an early statement. The company has since indicated that the attack leveraged previously unknown zero-day vulnerabilities in the VSA product to “bypass authentication and run arbitrary command execution.” The company further stated that “This allowed the attackers to leverage the standard VSA product functionality to deploy ransomware to endpoints.” The attack chain involved deploying a malicious dropper via a PowerShell script, executed through the VSA software. The criminals then substituted ransomware for a legitimate software update issued by the company. According to researchers, there is no indication that the actual VSA product codebase was maliciously modified. The company is currently working on releasing a patch for the zero-day.

The attack has had significant downstream effects by further compromising the managed service providers (MSPs) that use the VSA product. This, in turn, affected thousands of businesses worldwide that work with the MSPs, by encrypting data on individual business systems.

The REvil ransomware gang is claiming responsibility for the attack, setting the ransom for the primary cloud-based MSP platform provider at the obscene amount of $70 million (in bitcoins) for a universal decryptor that will decrypt all victims. In addition, the criminal gang is demanding $5 million from affected MSPs and a smaller amount of $45K from MSP customers. However, researchers have discovered that the gang does not appear to be honoring the $45K ransom demand. (The REvil gang earned an estimated $100 million from its illegal operations in 2020.)

Many in the cybersecurity world are calling this attack the largest that they’ve witnessed so far, with President Biden issuing direction to US intelligence agencies to investigate the attack.

Next Steps

Businesses are being directed to keep all on-premise VSA servers offline until further instruction has been received. When a patch is ready, it will be issued for installation before restarting the VSA. In addition, businesses that may have received emails purporting to be from the attackers containing links are being urged not to click the links, since these links may be weaponized.

In official guidance from the US Cybersecurity & Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI), affected MSPs and their customers are encouraged to:

• Download the VSA detection tool to determine indicators of compromise.
• Enable and enforce multi factor authentication.
• Limit communications with remote monitoring and management (RMM) capabilities to known IP address pairs.
• Place RMM administrative interfaces behind a virtual private network (VPN) or firewall.

CISA and the FBI are further advising affected organizations to:

• Ensure backups are up to date and easily accessible in an air-gapped location from the main network.
• Follow a patch management process with the immediate installation of new patches.
• Implement MFA and least privilege.

Ransomware is an incredibly dangerous threat to organizations and many companies assume that the only solution is to pay the ransom. Organizations that believe they may be victims of ransomware are urged to work with a professional ransomware investigation and response team to perform a thorough examination and analysis and determine the best course of action to restore files and systems.

Check out our other blog posts from this past week.