Kaseya’s IT Software Platform used in REvil Ransomware Attack demanding $70 Million
Over the 4th of July weekend, ransomware attackers used IT software platform Kaseya to demand ransom from customers. Kaseya is used to manage IT services remotely.
Mark Loman, Director and Ethical hacker at Sophos, reported at the time that the systems affected by the attack demanded $44,999 to be unlocked. A notice on Kaseya’s website asked customers to shut off their VSA servers for now “because one of the first things the attacker does is shut off administrative access to the VSA.”
Another notice in an update on Saturday, July 3, advised that “customers who experienced ransomware and receive a communication from the attackers should not click on any links – they may be weaponized.”
According to a report, the ransomware attack targeted six large Managed Service Providers and has encrypted data for as many as 200 companies.
In a story from doublepulsar.com, Kevin Beaumont posted details about how the attack seems to work. According to Beaumont, REvil ransomware is pushed through a Kaseya update and uses the platform’s administrative privileges to infect systems. Once the MSPs are infected, their systems can attack the clients that they provide the remote IT services to.
Three days after the attack, the picture of the attack is a little more clear in regards to how widespread it is. The attackers claim to have compromised more than 1 million computers and demanded $70 million to decrypt infected devices.
Fred Vocolla, Kaseya CEO said in a statement that “only a very small percentage of our customers were affected – currently estimated at fewer than 40 worldwide.”
Sophos VP Ross McKerchar said in a statement a couple days after that “This is one of the farthest reaching criminal ransomware attacks that Sophos has ever seen. At this time, our evidence shows that more than 70 managed service providers were impacted, resulting in more than 350 further impacted organizations. We expect the full scope of victim organizations to be higher than what’s being reported by any individual security company.”
Deputy National Security Advisor for Cyber and Emerging Technology Anne Neuberger followed up on comments made by President Biden by saying “The FBI and CISA will reach out to identified victims to provide assistance based upon an assessment of national risk.”
According to Huntress Labs who has cataloged most of the information related to the attack, says that over 1,000 businesses were compromised in the attack.
Sophos, Huntress and other sources pointed to a blog post on REvil’s “Happy Blog”, where they claim that more than 1 million devices have been affected and in order to unlock the devices a ransom of over $70 million is being demanded.
Security Researcher Marcus Hutchins is skeptical of REvil’s claims. He thinks they’re overstating the impact of the attack to receive a bigger payout.
REvil has been connected to several prior ransomware incidents, including a previous attack involving Kaseya in June 2019, and an attack with JBS earlier this year. One of the company’s most impacted by this current attack is Coop, a Swedish grocery store chain who had to close 800 of its stores on Saturday as the attack caused their cash registers to malfunction.
Days after the attack, Kaseya’s SaaS cloud servers remain office and experts believe that when company’s in the US return to work on Tuesday, more victims could be discovered.
https://www.theverge.com/2021/7/5/22564054/ransomware-revil-kaseya-coop
