REvil Ransomware Exploits Kaseya’s Remote IT Management Software to Attack Systems

Just when we would have most appreciated a break from the spate of cyberattacks, ransomware hackers have exploited Kaseya’s technology to launch their malicious payloads. The attack on 2 June 2021 saw the cybercriminals utilize Kaseya’s remote IT management software for the hack. Additionally, it is reported that the attackers will demand ransoms of up to $44,999 to unlock the affected systems.

Kaseya is an American software outfit that offers remote management software for IT companies. The hackers exploited an authenticated bypass vulnerability in Kaseya’s Virtual System Administrator (VSA) software. Furthermore, it used the compromised VSA to distribute malicious payloads through the hosts the software manages. In the process, many managed service providers became victims of the Kaseya hack.

The exact number of enterprises hit by the Kaseya attack is still unclear. However, Fred Voccola, Kaseya’s CEO, placed it between 800 to 1,500 businesses across the five continents. Sweden and New Zealand were the worst hit by the attack. This severity is because hundreds of supermarkets in Sweden and many schools in New Zealand were taken offline by the attack. For instance, a Swedish grocery chain couldn’t open about 800 stores because their cash registers were offline. 

Kaseya’s Response to the Attack

On the same day of the attack, Kaseya acknowledged “a potential attack against the VSA that had been limited to a small number of on-premise computers.” Furthermore, it stated that the team’s quick response mitigated the effects of the attack. 

The company then created a new link for updating customers on their crisis management. Customers were notified of the breach by email, phone, and online sources. By 4 July, Kaseya reviewed its position, describing itself as “the victim of a sophisticated cyber attack.” In addition, Kaseya engaged FireEye, a security assessment firm, to assess the attack’s manner, impact, and extent. 

In response to the attack, Kaseya shut down its SaaS servers. The company’s CEO claimed that this move was to protect about 36,000 more customers. However, Voccola has since said that the SaaS servers were never at risk initially. In addition, the company promised to update customers with vital information as they come in. Encouragingly, by 12 July, Kaseya updated that they had completed unplanned maintenance on the VSA SaaS infrastructure.

Other cyber criminals tried exploiting the Kaseya situation. These spammers disguised fake email notifications as Kaseya updates. However, the emails were phishing emails containing malicious links and attachments. Therefore, Kaseya warned customers not to click such links nor download the attachments. Furthermore, the company instructed customers not to respond to phone calls from persons posing as Kaseya partners. 

The Group Behind the Attack

The REvil ransomware gang has since claimed responsibility for the Kaseya attack. REvil meaning Ransomware Evil, and sometimes called Sodinokibi, announced that they had infected more than a million systems in the attack. In addition, through the attack, REvil encrypted the data on the victim’s systems. Consequently, REvil demanded a negotiable $70 million ransom to release a universal decryptor for the affected systems. 

Fortunately, Kaseya obtained a universal decryptor key for the victims of the ransomware attack. It stated that it got the decryptor from an unnamed third party. Furthermore, Kaseya had Emisisoft confirm the key’s effectiveness in unlocking victim systems. It then provided this key to customers to decrypt their data that they couldn’t restore from backup. 

Notably, Kaseya has denied claims that it paid the hackers for the decryption key. The Kaseya update stated that Kaseya decided not to negotiate with the criminals. It reached this decision after consultations with experts. Therefore, Kaseya said that it didn’t pay directly or indirectly to obtain the decryption key. Finally, Kaseya has since released a patch to its VSA software. 

How Other Agencies Responded to the Attack

Huntress Labs, a security firm, was amongst the first parties to notice the hack. The FBI has previously linked the ransomware culprits REvil, to the attack on meatpacking company JBS SA. Furthermore, REvil has links to attacks involving Travelex and Acer. REvil has also hacked and leaked several financial and legal data and several other ransomware attacks. Interestingly, REvil is believed to have strong Russian ties. 

The White House was responsive following the attack. The deputy national security adviser for cyber and emerging technology stated that the FBI and the Department of Homeland Security “will reach out to identified victims to provide assistance based upon an assessment of national risk.” Furthermore, President Joe Biden instructed US intelligence services to investigate the responsible party for this current ransomware attack. 

On 13 July 2021, the REvil leak site and other infrastructure disappeared from the internet. This was following the hackers’ Russian links and President Biden’s strong posture towards Russian hackers attacking the US cyberspace. Although July was a difficult month for Kaseya clients, they can rest easy now since Kaseya now has a decryption key to recover their data. Fortunately, too, the decryption key has proven to be 100% effective in unlocking victim’s data.