With Kaseya Ransomware Attack, REvil Dismisses Mounting Global Scrutiny with More Large-Scale Targets
REvil Ransomware Group Takes Down Kaseya in Massive Supply Chain Attack
On July 2, 2021, the Russian ransomware extortionist threat group “REvil” (aka, “Sodinokibi” or “Sodin”) launched a ransomware attack against the technology provider, Kaseya, compromising and distributing malware through Kaseya’s VSA remote software and patch management tool. REvil initially made a $70M demand—later lowered to $50M—for a universal decryptor, as well as ransoms for individual organization victims of between $50,000 to $5M, based on organization size.
Following the attack, Kaseya shut down its software-as-a-service (SaaS) servers and provided a detection tool for clients to check their systems for indications of compromise. Due to the immense scale and complexity of the attack, REvil failed to delete many victims’ backups and/or steal their data. As a result, relatively few victim organizations have opted to pay the ransom so far.
As of this posting, both ransomware negotiations and efforts to recover locked systems remain ongoing with Kaseya. Despite multiple setbacks, Kaseya again reset its timetable to restore the SaaS version of Kaseya VSA on Sunday, July 11, 2021.
Third-Party Ripple Effects Extend Victim Count
According to Kaseya, approximately 800 to 1,500 organizations were effectively compromised by the ransomware either directly or via their managed service providers (MSPs), which provide third-party IT security and technical support to other small- and medium-sized businesses (SMBs).
Sweden appears to be one of the hardest-hit countries, with the ransomware attack forcing the retail chain Coop to close its 800 stores for several days and an ongoing recovery effort that will likely take weeks to be fully operational once again. The attack has reached at least seventeen countries known to date.
Zero-Day Use Signals Escalating Ransomware Attack Sophistication
An uncommon tactic in ransomware campaigns historically, REvil operators made use of a zero-day vulnerability, now identified as CVE-2021-30116 to successfully carry out the attack on Kaseya. In the attack chain, REvil’s dropper hijacks a legitimate Windows Defender process to launch a malicious dynamic-link library (DLL) file, using exceptions granted to Kaseya’s working folders to avoid detection.
The time, technical skills, and resources that are required to identify and leverage previously unknown exploits are costs that most financially motivated ransomware collectives aren’t willing to commit—and why most zero-day attacks are carried out by nation-state threat actors. This is also why some see the attack on Kaseya as “a revolution in sophistication” for ransomware operations.
Learn more about Flashpoint Threat Response and Readiness to prepare and manage your response to ransomware attacks whenever they strike.
July 4th Timing and Russian Protectionism Contrast Intensifying Global Scrutiny
The REvil ransomware attack occurred less than two weeks after US President Joe Biden issued a stern warning to Russia and President Vladimir Putin that the US would begin to hold Russia responsible for ransomware attacks emanating from Russia.
The possible symbolic timing of the attack on Friday, July 2, 2021, coinciding with the beginning of the long weekend for the U.S. national holiday that celebrates the country’s Independence Day on July 4th also did not go unnoticed. In fact, one REvil spokesperson known as “Unknown” responded with the words “Happy Independence Day” to a user’s post on the forum XSS that shared an article about the attack.
REvil Coded Ransomware to Avoid Russian and Former USSR Systems
According to a detailed analysis by Trustwave published on July 7th, REvil made concerted efforts to safeguard regional entities and former Soviet Union countries in coding and preparing this ransomware attack on Kaseya. These efforts included purposefully written code to ensure the associated malware would bypass and avoid any systems using Russian—or any of seventeen other related languages and dialects, including Belarusian, Romanian, and Ukrainian—as the primary default language. While safeguarding tactics like this are far from novel, employed in attacks for at least several years at this point, they can help further contextualize the intent and implications of the attack and the attackers.
US CISA and FBI Issue Joint Advisory for MSPs Following the Attack
On July 4th, the US Cybersecurity and Infrastructure Security Agency (CISA) and FBI issued a joint advisory for MSPs, advising MSPs to enforce multifactor authentication for both inside and customer-facing accounts, implement allow-listing, and protect administrative interfaces of remote monitoring and management (RMM) by placing them behind firewalls or virtual private networks (VPNs).
More Recent REvil Ransomware Activity
REvil has been responsible for several high-visibility ransomware incidents in recent months, including the following events and Flashpoint coverage:
- REvil successfully extorts Brazilian meat supplier, JBS, for $11M. In late May 2021, the ransomware group successfully carried out a ransomware attack against JBS, taking down its global operations. Ultimately, this attack resulted in the company paying the $11M ransom to REvil in June 2021.
- Popular cybercriminal forums ban ransomware groups (including REvil). With global scrutiny of ransomware intensifying following a series of high-profile attacks, many of the most popular cybercriminal forums—including XSS, Exploit, and Raid—all opt to ban the discussion and advertisement of ransomware on their channels.
- DarkSide ransomware holds strong links to REvil ransomware. DarkSide’s close links to REvil emerge in the aftermath of DarkSide’s ransomware attack on Colonial Pipeline, which took offline more than five thousand miles of its gas pipelines systems in the US in May 2021.
- Flashpoint covers REvil’s escalating attack and extortion techniques. As part of its ongoing Ransomware-as-a-Service (RaaS) operations, REvil made a series of announcements in February and March 2021 about new capabilities it was adding to its ransomware arsenal. These new offerings included new or enhanced support for English-language negotiations, distributed denial-of-service (DDoS) attacks, phoning extortion services, and access to “tier 1” networks with revenue greater than $1 billion USD.
- In a cybercriminal forum Q&A, REvil discusses its business and move to RaaS. In a lengthy, Q&A-style interview on October 24, 2020, a REvil spokesperson opened up about the ransomware collective, its operations, and its business rationale for switching to a license-based selling model to achieve better economies of scale for the ransomware tools that it offers.
Prepare for Ransomware and Cyber Extortion with Flashpoint
Request a demo and see firsthand how Flashpoint’s Threat Response and Readiness offerings ensure your entire team is prepped and able to respond to any ransomware attack. When equipped with Flashpoint’s dedicated ransomware dashboards, you move ahead of ransomware and the cybercriminal groups who deploy it.