Connect with us

Tech

REvil ransomware reaches over 1,000 companies in MSP supply chain attack

Published

on

REvil ransomware reaches over 1,000 companies in MSP supply chain attack

A massive REvil ransomware attack affects multiple managed service providers and over a thousand of their customers through a reported Kaseya supply chain attack.

As of this afternoon, the REvil ransomware gang, also known as Sodinokibi, targeted MSPs with thousands of customers, through what appears to be an attack on the Kaseya VSA supply chain.

Right now, there are eight known large MSPs that have been affected as part of this supply chain attack.

Kaseya VSA is a cloud-based MSP platform that enables vendors to perform patch management and client monitoring for their clients.

John Hammond of Huntress Labs has told BleepingComputer that all affected MSPs are using the Kaseya VSA and that they have proof that their clients are encrypted as well.

“We are tracking 20 MSPs where the Kaseya VSA was used to encrypt more than 1,000 deals and we are working closely with six of them,” Hammond shared in blog post about the attack.

Kaseya issued a security notice on their help desk site, warning all VSA customers to immediately shut down their VSA server to prevent the spread of the attack during the investigation.

“We are experiencing a potential attack against the VSA that has been limited to a small number of on-premises customers only as of 2:00 PM EDT today.

We are in the process of investigating the root cause of the incident with great caution. but we recommend that you IMMEDIATELY shutdown your VSA server until you receive further notice from us.

It is critical that you do this immediately, because one of the first things an attacker does is close administrative access to the VSA.. “

In a statement to Bleeping Computer, Kaseya stated that they have shut down their SaaS servers and are working with other security companies to investigate the incident.

Most large-scale ransomware attacks take place late at night on the weekend, when there are fewer staff to monitor the network.

As this attack occurred at noon on a Friday, the threat actors likely planned the time to coincide with the 4th of July weekend in the US, where it is common for staff to have a shorter work day earlier. of the vacations.

If you have first-hand information about this attack or information about the affected companies, we would love to hear from you. You can contact us confidentially on Signal at +16469613731 or on Wire at @ lawrenceabrams-bc.

Evil Attack Spread Through Automatic Update

The Bleeping Computer has been counted by both Huntresses John hammond and Sophos’ Mark loman that the attacks on MSPs appear to be a supply chain attack through the Kaseya VSA.

According to Hammond, the Kaseya VSA will place an agent.crt file in the c: kworking folder, which will be distributed as an update called ‘Kaseya VSA Agent Hot-fix’.

Then a PowerShell command is launched that first disables various Microsoft Defender security features such as real-time monitoring, controlled folder access, script scanning, and network protection.

Then it will decode the agent.crt file using the legitimate Windows certutil.exe command to extract an agent.exe file into the same folder, which is then started to begin the encryption process.

PowerShell command to run REvil ransomware
PowerShell command to run REvil ransomware
Fountain: Reddit

The agent.exe is signed with a certificate from “PB03 TRANSPORT LTD” and includes an embedded “MsMpEng.exe” and “mpsvc.dll”, the DLL being the REvil encryptor. When extracted, ‘MsMpEng.exe’ and ‘mpsvc.dll’ are placed in the C: Windows folder.

Signed agent.exe file
Signed agent.exe file

MsMPEng.exe is an older version of the legitimate Microsoft Defender executable that is used as LOLBin to start the DLL and encrypt the device via a trusted executable.

The agent.exe extracting and executing embedded resources
The agent.exe extracting and executing embedded resources

Some of the samples add politically loaded Windows registry keys and configuration changes to infected machines.

For example, a sample [VirusTotal] installed by BleepingComputer adds the HKLM SOFTWARE Wow6432Node BlackLivesMatter key to store attack configuration information.

Intel advanced Vitali Kremez told Bleeping Computer that another sample configures the device to start REvil Safe Mode with a default password of ‘DTrump4ever.

[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogon]
“AutoAdminLogon” = “1”
“DefaultUserName” = “[account_name]”
“DefaultPassword” = “DTrump4ever”

Kaseya CEO Fred Voccola told BleepingComputer in an email late Friday night that a vulnerability was used in the Kaseya VSA during the attack and that a patch will be released as soon as possible.

“While our investigation is ongoing, to date we believe that:

  • Our SaaS customers were never at risk. We hope to restore service to those customers once we have confirmed that they are not at risk, which we hope will be within the next 24 hours;
  • Only a very small percentage of our clients were affected; it is currently estimated at less than 40 worldwide.

We believe that we have identified the source of the vulnerability and are preparing a patch to mitigate it for our local customers that will be thoroughly tested. We will release that patch as quickly as possible to get our customers back up and running. “- Kaseya.

Bleeping Computer has sent follow-up questions about the vulnerability and was told that a full update would be released on Saturday afternoon.

Huntress continues to provide more information about the attack in a Reddit thread and we have added IOC to the end of this article.

Ransomware gang demands $ 5 million ransomware

A sample of the REvil ransomware used in one of these attacks has been shared with Bleeping Computer. However, it is unknown if this is the sample used for each victim or if each MSP received its own ransom demand.

The ransomware gang demands a ransom of $ 5,000,000 to receive a decryptor for one of the samples.

Demand for ransom
Demand for ransom

According to Emsisoft CTO Fabian Wosar, MSP customers who were affected by the attack received a much lower $ 44,999 ransom demand.

While REvil has been known to steal data before implementing ransomware and encryption devices, it is unknown if any files were exfiltered by the attackers.

MSPs are an invaluable target for ransomware gangs, offering an easy channel to infect many companies through a single breach, but attacks require in-depth knowledge of MSPs and the software they use.

REvil has an affiliate that is well versed in the technology used by MSPs, as they have a long history of targeting these companies and the software they routinely use.

In June 2019, a REvil affiliate targeted MSPs via Remote Desktop and then used their management software to send ransomware installers to all the endpoints they manage.

This affiliate is believed to have previously worked with GandCrab, who also successfully carried out attacks against MSP in January 2019.

This is a developing story and will continue to be updated.

Update 7/1/21 10:30 PM EST: Added an updated vulnerability statement.
Update 3/7/21 5:37 PM EST: Updated title and added information on how more than 1,000 businesses have been affected by this attack.

IOCS

Known file hash:

agent.crt - 2093c195b6c1fd6ab9e1110c13096c5fe130b75a84a27748007ae52d9e951643
agent.exe - d55f983c994caa160ec63a59f6b4250fe67fb3e8c43a388aec60a4a6978e9f1e
mpsvc.dll - e2a24ab94f865caeacdf2c3ad015f31f23008ac6db8312c2cbfb32e4a5466ea2
mpsvc.dll - 8dd620d9aeb35960bb766458c8890ede987c33d239cf730f93fe49d90ae759dd

Advertisement
Advertisement

Lifestyle

LifeStyle3 hours ago

5 Tips To Write Your Essays Before the Deadline

Deadlines are not easy to deal with. When there is an approaching deadline, one tends to get overwhelmed at the...

LifeStyle1 week ago

How to Prioritize Self Care as a New Parent

A bundle of joy has joined you in your life and you couldn’t be happier. But, at the same time,...

LifeStyle1 week ago

5 Reasons Why You Can’t Stay Asleep

You have likely heard it most of your life: getting a good night’s sleep is important for your overall health....

LifeStyle2 weeks ago

4 Ways to Spread Joy This Fall

Traditionally, many people strive to spread as much joy as they can in the weeks leading up to Christmas. But...

LifeStyle1 month ago

Tips to Boost Your Energy and Ensure Life Longevity with NMN Supplements

Australia’s median age limit increased by two years recently. Higher NAD+ can improve your metabolism rates and prolong natural aging....

LifeStyle2 months ago

5 Tips on Writing APA Research Paper

When students reach college education, they understand that it won’t all be flowers and sunshine. There are different courses with...

Support group for businesses to overcome challenges Support group for businesses to overcome challenges
LifeStyle3 months ago

Support group for businesses to overcome challenges

All-day brunch and soup kitchen Cafe Coco suffered as walk-ins dwindled significantly. It’s a tourist-dependent cafe that’s nestled in the...

S’pore startup Shiok Meats acquires clean red meat company Gaia Foods S’pore startup Shiok Meats acquires clean red meat company Gaia Foods
LifeStyle3 months ago

S’pore startup Shiok Meats acquires clean red meat company Gaia Foods

According to Technology in Asia, Shiok Meats has acquired a stake of more than 90% in Gaia Foods for an...

Marianna Hewitt’s home proves that neutral decor can be full of personality Marianna Hewitt’s home proves that neutral decor can be full of personality
LifeStyle3 months ago

Marianna Hewitt’s home proves that neutral decor can be full of personality

If anyone understands the importance of maintaining your brand, it is Marianna Hewitt. The trusted influencer and founder of the...

The 16 best stuffed pepper recipes for every occasion The 16 best stuffed pepper recipes for every occasion
LifeStyle3 months ago

The 16 best stuffed pepper recipes for every occasion

Something you may not know about me is that I absolutely adore a pepper. Raw, cooked, marinated, bathed: each and...

Advertisement

Sport

Sports2 months ago

5 Tips for Setting Up Your PC for Online Gaming

Due to advances in technology, online gamers can enjoy a gaming experience that was unthinkable even a decade ago. High-resolution...

Sports2 months ago

How to Succeed in Poker Tournaments

Perhaps your first big poker tournament is coming up, or you’ve been gathering skills ready to enter – no matter...

Sports2 months ago

Is The Olympics Still Relevant?

As the Tokyo Olympics has come to a close, competitors must move on from the excitement of experiencing an Olympic...

Fernández reflects on the game against Dart: ‘Honestly, I can’t think of anything positive’ Fernández reflects on the game against Dart: ‘Honestly, I can’t think of anything positive’
Sports3 months ago

Fernández reflects on the game against Dart: ‘Honestly, I can’t think of anything positive’

var adServerUrl = “”; var $ el = $ (“# video_container-985707”); var permalink = $ el.closest (‘. snet-single-article’). data (‘permalink’);...

Tammy Abraham to Roma – Mourinho is the perfect coach for the striker Tammy Abraham to Roma – Mourinho is the perfect coach for the striker
Sports3 months ago

Tammy Abraham to Roma – Mourinho is the perfect coach for the striker

It seems that not too long ago, a young English Target Man was a troubling prospect for most Premier League...

Explanation: Why Barcelona had to let Messi go Explanation: Why Barcelona had to let Messi go
Sports3 months ago

Explanation: Why Barcelona had to let Messi go

Barcelona’s Argentine forward Lionel Messi cries during a press conference at Barcelona’s Camp Nou stadium on August 8, 2021. –...

Are Arsenal and Spurs left out of the top 6 in dispute as the 2021/22 season approaches? Are Arsenal and Spurs left out of the top 6 in dispute as the 2021/22 season approaches?
Sports3 months ago

Are Arsenal and Spurs left out of the top 6 in dispute as the 2021/22 season approaches?

Manchester United, Manchester City, Liverpool, Chelsea, Spurs and Arsenal are the teams that are widely regarded as the top 6...

What should team Canada’s men’s hockey roster look like? What should team Canada’s men’s hockey roster look like?
Sports3 months ago

What should team Canada’s men’s hockey roster look like?

We have sent an email with instructions to create a new password. Your current password has not been changed. We...

Haaland, but staying in Dotmund, can BVB get the title on 21/22? Haaland, but staying in Dotmund, can BVB get the title on 21/22?
Sports3 months ago

Haaland, but staying in Dotmund, can BVB get the title on 21/22?

There are almost twenty days left in the transfer window. The window is in full swing as deals that would...

Knicks agree to deal with Dwayne Bacon: reports Knicks agree to deal with Dwayne Bacon: reports
Sports3 months ago

Knicks agree to deal with Dwayne Bacon: reports

Dwayne Bacon # 8 of the Orlando Magic shoots as John Collins # 20 of the Atlanta Hawks defends during...

Advertisement

Entertainment

Venice adds Doc ‘Ennio’;  Netflix Confirms Sanjay Leela Bhansali Series – News Block Venice adds Doc ‘Ennio’;  Netflix Confirms Sanjay Leela Bhansali Series – News Block
Entertainment3 months ago

Venice adds Doc ‘Ennio’; Netflix Confirms Sanjay Leela Bhansali Series – News Block

Venice adds Giuseppe Tornatore’s Ennio Morricone film The Venice Film Festival incorporates the Out of Competition screening of Ennio Morricone’s...

The Jeffrey Epstein Victims Fund has finished paying $ 121 million The Jeffrey Epstein Victims Fund has finished paying $ 121 million
Entertainment3 months ago

The Jeffrey Epstein Victims Fund has finished paying $ 121 million

After awarding more than $ 121 million to about 150 applicants, a compensation program for survivors of Jeffrey Epstein’s sexual...

Matt Roloff and Karyn Chandler move in together, discuss marriage Matt Roloff and Karyn Chandler move in together, discuss marriage
Entertainment3 months ago

Matt Roloff and Karyn Chandler move in together, discuss marriage

Small people, big world star Matt Roloff and his girlfriend, Karyn Chandlerhave revealed their big summer plans in a new...

Mike Shouhed wants Reza Farahan to apologize for being a ‘traitor’ Mike Shouhed wants Reza Farahan to apologize for being a ‘traitor’
Entertainment3 months ago

Mike Shouhed wants Reza Farahan to apologize for being a ‘traitor’

Shouhed says his Shahs of Sunset co-star “cuts deep and says things that are hard to forgive.” While a sexting...

Joey Lawrence and Samantha Cope are engaged Joey Lawrence and Samantha Cope are engaged
Entertainment3 months ago

Joey Lawrence and Samantha Cope are engaged

He put a ring on it! Joey lawrence is engaged to the actress Samantha cope one year after filing for...

Christine Applegate was diagnosed with multiple sclerosis Christine Applegate was diagnosed with multiple sclerosis
Entertainment3 months ago

Christine Applegate was diagnosed with multiple sclerosis

August 10, 2021 Christine Applegate was diagnosed with multiple sclerosis (MS). Christina Applegate The 49-year-old actress took to Twitter on...

UK advertisers form tapestry with clients Coel, Fassbender, Foy – News Block UK advertisers form tapestry with clients Coel, Fassbender, Foy – News Block
Entertainment3 months ago

UK advertisers form tapestry with clients Coel, Fassbender, Foy – News Block

EXCLUSIVE: UK advertisers Donna Mills and Emma Jackson, longtime representatives of London-based Premier Communications, have launched the new advertising agency...

Christina Applegate: actress reveals multiple sclerosis diagnosis Christina Applegate: actress reveals multiple sclerosis diagnosis
Entertainment3 months ago

Christina Applegate: actress reveals multiple sclerosis diagnosis

prime time Emmy-winning actor Christina applegate has revealed a multiple sclerosis condition through a Twitter post late on Monday night....

Prince Harry and Meghan Markle wanted to move to New Zealand in 2018 Prince Harry and Meghan Markle wanted to move to New Zealand in 2018
Entertainment3 months ago

Prince Harry and Meghan Markle wanted to move to New Zealand in 2018

Prince harry and Meghan Markle according to Queen Elizabeth IIRepresentative to New Zealand, Governor General Patsy Reddy… She said Associated...

Alarming new UN climate report says humanity has really screwed itself up Alarming new UN climate report says humanity has really screwed itself up
Entertainment3 months ago

Alarming new UN climate report says humanity has really screwed itself up

The last evaluation of climate science is a “code red for humanity,” the United Nations chief said on Monday, while...

Advertisement

Tech

Tech1 week ago

How to Provide Cybersecurity for Firefox

Mozilla Firefox is one of the first browsers that come to mind when thinking about the best privacy-oriented browsers available...

Tech4 weeks ago

6 Important Questions to Ask Your Internet Provider

Choosing the best internet provider can be challenging, especially when you don’t know what questions to ask. You want to...

Tech1 month ago

How Serious is Plagiarism in College?

Studying in college often demands writing essays and course papers. You may study technical subjects and do not have many...

Tech1 month ago

Three Possible Ways of How You Can Transfer Contacts from Outlook to iPhone

MS Outlook plays an important role in putting daily life in order, especially with regard to email management. If you...

Tech1 month ago

Importance of Email Validation

According to recent stats, 30% of users change their email every year. Therefore, if your mailing list is more than...

Tech1 month ago

Before Doing Virtual Staging, Here’s What You Should Know

The majority of people today go online to look for homes. When a potential buyer spots a house online that...

Tech1 month ago

What Technologies are Online Casinos Using?

Online casinos have become an ideal choice for a lot of players, especially because they let players take their games...

Tech2 months ago

Grow Your Brand With These 5 Social Media Tips

Whether you’re operating a new business or working to grow your brand, social media is an excellent place to start....

Tech2 months ago

Is Mining Ethereum Still Profitable in 2021?

Globally, there have been lots of innovations and modernization in different aspects of life. This fact has contributed to the...

Tech2 months ago

Popularity Of the Blockchain Technology: How Familiar Are You with It?

Cryptocurrencies are a form of digital currency that stands out because it is decentralized. Cryptocurrency also stands out because it...

Advertisement
Advertisement