Home Cyber Attack REvil Ransomware Targets MSPs Via Kaseya Supply-Chain Attack

REvil Ransomware Targets MSPs Via Kaseya Supply-Chain Attack

by Abeerah Hashim
Kaseya got REvil ransomware decryptor

While ransomware attacks already leave the targeted organizations helpless for days, some attacks can have a domino effect too. A recent incident proved the same: the REvil ransomware gang exploited Kaseya to trigger a supply-chain attack against MSP.

REvil Ransomware Kaseya Supple-Chain Attack

Reportedly, Kaseya Corp – an IT security and management solutions provider firm – has fallen prey to a serious cyberattack.

On July 2, 2021, the firm disclosed that it had suffered a cyberattack affecting a “small number of on-premise customers”. While the initial disclosure didn’t reveal the nature of the incident, Kaseya did urge shutting down the VSA server.

It’s critical that you do this immediately because one of the first things the attacker does is shutoff administrative access to the VSA.

As stated in an update to the advisory, Kaseya could identify roughly 40 of its 39,000 customers to have suffered the impact.

Besides, the latest updates from Kaseya confirm the involvement of ransomware that further targeted the customers as well.

Though, it hasn’t shared any precise details for now. Yet, according to several reports, Kaseya has fallen prey to REvil ransomware that conducted the supply-chain attack.

Briefly, the attackers exploited a vulnerability to roll out a malicious VSA server update that affected the MSPs (managed service providers).

Regarding how it could have happened, a malware analyst from Sophos, Mark Loman, explained that the malware shuts down the antivirus solution on the target system first. It then pushes a malicious binary impersonating the Microsoft Defender to execute the ransomware and the subsequent encryption.

US CISA Taking Notice Of The Matter

Upon noticing the incident, the firm immediately shut down its SaaS servers, despite them being unaffected, out of caution. Also, they informed all the customers, and law enforcement of the matter.

Consequently, US CISA confirmed reviewing the incident via a latest tweet.

As for the ransom amount, reports suggest that the attackers have demanded $5 million to provide the decryptor. Whereas, for the individual MSPs, this demand shrinks down to $50,000.

This attack reminds us of the SolarWinds incident that jolted up the corporate world globally. Let’s see how things unfold in the coming days.

You may also like