A massive REvil ransomware attack affects multiple managed service providers and over a thousand of their customers through a reported Kaseya supply chain attack.
As of this afternoon, the REvil ransomware gang, also known as Sodinokibi, targeted MSPs with thousands of customers, through what appears to be an attack on the Kaseya VSA supply chain.
Right now, there are eight known large MSPs that have been affected as part of this supply chain attack.
Kaseya VSA is a cloud-based MSP platform that enables vendors to perform patch management and client monitoring for their clients.
John Hammond of Huntress Labs has told BleepingComputer that all affected MSPs are using the Kaseya VSA and that they have proof that their clients are encrypted as well.
“We are tracking 20 MSPs where the Kaseya VSA was used to encrypt more than 1,000 deals and we are working closely with six of them,” Hammond shared in blog post about the attack.
Kaseya issued a security notice on their help desk site, warning all VSA customers to immediately shut down their VSA server to prevent the spread of the attack during the investigation.
“We are experiencing a potential attack against the VSA that has been limited to a small number of on-premises customers only as of 2:00 PM EDT today.
We are in the process of investigating the root cause of the incident with great caution. but we recommend that you IMMEDIATELY shutdown your VSA server until you receive further notice from us.
It is critical that you do this immediately, because one of the first things an attacker does is close administrative access to the VSA.. “
In a statement to Bleeping Computer, Kaseya stated that they have shut down their SaaS servers and are working with other security companies to investigate the incident.
Most large-scale ransomware attacks take place late at night on the weekend, when there are fewer staff to monitor the network.
As this attack occurred at noon on a Friday, the threat actors likely planned the time to coincide with the 4th of July weekend in the US, where it is common for staff to have a shorter work day earlier. of the vacations.
If you have first-hand information about this attack or information about the affected companies, we would love to hear from you. You can contact us confidentially on Signal at +16469613731 or on Wire at @ lawrenceabrams-bc.
Evil Attack Spread Through Automatic Update
According to Hammond, the Kaseya VSA will place an agent.crt file in the c: kworking folder, which will be distributed as an update called ‘Kaseya VSA Agent Hot-fix’.
Then a PowerShell command is launched that first disables various Microsoft Defender security features such as real-time monitoring, controlled folder access, script scanning, and network protection.
Then it will decode the agent.crt file using the legitimate Windows certutil.exe command to extract an agent.exe file into the same folder, which is then started to begin the encryption process.
The agent.exe is signed with a certificate from “PB03 TRANSPORT LTD” and includes an embedded “MsMpEng.exe” and “mpsvc.dll”, the DLL being the REvil encryptor. When extracted, ‘MsMpEng.exe’ and ‘mpsvc.dll’ are placed in the C: Windows folder.
MsMPEng.exe is an older version of the legitimate Microsoft Defender executable that is used as LOLBin to start the DLL and encrypt the device via a trusted executable.
Some of the samples add politically loaded Windows registry keys and configuration changes to infected machines.
For example, a sample [VirusTotal] installed by BleepingComputer adds the HKLM SOFTWARE Wow6432Node BlackLivesMatter key to store attack configuration information.
Intel advanced Vitali Kremez told Bleeping Computer that another sample configures the device to start REvil Safe Mode with a default password of ‘DTrump4ever.
“AutoAdminLogon” = “1”
“DefaultUserName” = “[account_name]”
“DefaultPassword” = “DTrump4ever”
Kaseya CEO Fred Voccola told BleepingComputer in an email late Friday night that a vulnerability was used in the Kaseya VSA during the attack and that a patch will be released as soon as possible.
“While our investigation is ongoing, to date we believe that:
- Our SaaS customers were never at risk. We hope to restore service to those customers once we have confirmed that they are not at risk, which we hope will be within the next 24 hours;
- Only a very small percentage of our clients were affected; it is currently estimated at less than 40 worldwide.
We believe that we have identified the source of the vulnerability and are preparing a patch to mitigate it for our local customers that will be thoroughly tested. We will release that patch as quickly as possible to get our customers back up and running. “- Kaseya.
Bleeping Computer has sent follow-up questions about the vulnerability and was told that a full update would be released on Saturday afternoon.
Huntress continues to provide more information about the attack in a Reddit thread and we have added IOC to the end of this article.
Ransomware gang demands $ 5 million ransomware
A sample of the REvil ransomware used in one of these attacks has been shared with Bleeping Computer. However, it is unknown if this is the sample used for each victim or if each MSP received its own ransom demand.
The ransomware gang demands a ransom of $ 5,000,000 to receive a decryptor for one of the samples.
According to Emsisoft CTO Fabian Wosar, MSP customers who were affected by the attack received a much lower $ 44,999 ransom demand.
While REvil has been known to steal data before implementing ransomware and encryption devices, it is unknown if any files were exfiltered by the attackers.
MSPs are an invaluable target for ransomware gangs, offering an easy channel to infect many companies through a single breach, but attacks require in-depth knowledge of MSPs and the software they use.
REvil has an affiliate that is well versed in the technology used by MSPs, as they have a long history of targeting these companies and the software they routinely use.
In June 2019, a REvil affiliate targeted MSPs via Remote Desktop and then used their management software to send ransomware installers to all the endpoints they manage.
This affiliate is believed to have previously worked with GandCrab, who also successfully carried out attacks against MSP in January 2019.
This is a developing story and will continue to be updated.
Update 7/1/21 10:30 PM EST: Added an updated vulnerability statement.
Update 3/7/21 5:37 PM EST: Updated title and added information on how more than 1,000 businesses have been affected by this attack.
Known file hash:
agent.crt - 2093c195b6c1fd6ab9e1110c13096c5fe130b75a84a27748007ae52d9e951643 agent.exe - d55f983c994caa160ec63a59f6b4250fe67fb3e8c43a388aec60a4a6978e9f1e mpsvc.dll - e2a24ab94f865caeacdf2c3ad015f31f23008ac6db8312c2cbfb32e4a5466ea2 mpsvc.dll - 8dd620d9aeb35960bb766458c8890ede987c33d239cf730f93fe49d90ae759dd