While ransomware attacks already leave the targeted organizations helpless for days, some attacks can have a domino effect too. A recent incident proved the same: the REvil ransomware gang exploited Kaseya to trigger a supply-chain attack against MSP.
REvil Ransomware Kaseya Supple-Chain Attack
Reportedly, Kaseya Corp – an IT security and management solutions provider firm – has fallen prey to a serious cyberattack.
On July 2, 2021, the firm disclosed that it had suffered a cyberattack affecting a “small number of on-premise customers”. While the initial disclosure didn’t reveal the nature of the incident, Kaseya did urge shutting down the VSA server.
It’s critical that you do this immediately because one of the first things the attacker does is shutoff administrative access to the VSA.
As stated in an update to the advisory, Kaseya could identify roughly 40 of its 39,000 customers to have suffered the impact.
Besides, the latest updates from Kaseya confirm the involvement of ransomware that further targeted the customers as well.
Briefly, the attackers exploited a vulnerability to roll out a malicious VSA server update that affected the MSPs (managed service providers).
Regarding how it could have happened, a malware analyst from Sophos, Mark Loman, explained that the malware shuts down the antivirus solution on the target system first. It then pushes a malicious binary impersonating the Microsoft Defender to execute the ransomware and the subsequent encryption.
We are monitoring a REvil 'supply chain' attack outbreak, which seems to stem from a malicious Kaseya update. REvil binary C:Windowsmpsvc.dll is side-loaded into a legit Microsoft Defender copy, copied into C:WindowsMsMpEng.exe to run the encryption from a legit process.
— Mark Loman @🏡 (@markloman) July 2, 2021
US CISA Taking Notice Of The Matter
Upon noticing the incident, the firm immediately shut down its SaaS servers, despite them being unaffected, out of caution. Also, they informed all the customers, and law enforcement of the matter.
Consequently, US CISA confirmed reviewing the incident via a latest tweet.
.@CISAgov is taking action to understand and address the supply-chain #ransomware attack against Kaseya VSA and the multiple #MSPs that employ VSA software. Review the Kaseya advisory and immediately follow their guidance to shutdown VSA servers: https://t.co/48QLkEm1eY
— US-CERT (@USCERT_gov) July 2, 2021
As for the ransom amount, reports suggest that the attackers have demanded $5 million to provide the decryptor. Whereas, for the individual MSPs, this demand shrinks down to $50,000.
This attack reminds us of the SolarWinds incident that jolted up the corporate world globally. Let’s see how things unfold in the coming days.