In 2019, Cybernetic Global Intelligence had warned about REvil. Refer to our previous blog on GandCrab ransomware: Is it back under a new REvil guise? The fourth of July celebrations in America this year were slightly different for around 1500 organizations that fell victim to one of the most devastating ransomware attacks in modern history. In fact, the exact number of victims is still not known since the tool keeps increasing with every passing minute. The supply chain attack took place when Kaseya, a company that provides IT solutions to its client companies, rolled out a hotfix or quick fix engineering update that possessed a highly potent malware known as Sodinikibi. Refer our previous blog on Travelex Ransomware Attack: Sodinokibi Is Here With A New Tactic
Since the attack, the US government and Kaseya, themselves, have scrambled to mitigate the damage caused by a group of Russian hackers known as REvil. At present, the only viable option to halt the attack is for Kaseya and its client companies to pay a ransom of $70 million. This was a supply chain attack, a form of cyberattacks that use third party software updates as a vector to propagate the malware. The third party in this case was Kaseya. Therefore, through this two-part series, the reader will receive a comprehensive rundown of the Kaseya attacks and what it means for the future of data security.
Kaseya VSA: A look at the victim
As mentioned before, Kaseya is an IT company that provides remote network monitoring as well as management. This means that the Kaseya servers are used to install and manage the activities of their client companies from a remote location. Therefore, all the functioning of the clients’ workstations, servers or endpoints are managed by this company.
The company was first established in 2003 when the first Kaseya headquarters was inaugurated in Dublin, Ireland. However, the company now holds a presence in the US with offices in Miami, the site of the ransomware attack.
The clients and later victims are mostly smaller companies that are unable to hire in-house IT professionals to ensure the security of their data. Therefore, they invested in Kaseya’s VSA remote IT management software to protect the company’s data. The software provides a range of services to their clients involving software deployment, patch management, antivirus, and antimalware deployment and more.
In addition to this, the company also rolls out frequent updates to their software to carry out routine maintenance of their product. Thus, Kaseya and its software made it possible for managed service providers and smaller businesses to safely store their data. However, this was also the trigger that the bad actors used to execute the cyber-attack. It is also ironic that the purpose of these regular updates is to protect data from cyberattacks.
How REvil became an infamous RaaS provider
According to cyber researchers, REvil is a criminal hacking group that is located either in Eastern Europe or Russia. The exact location is not yet known. The reason why the group is assumed to be Russian is that they communicate in Russian and the attacks are formulated to avoid Russian devices.
The group is considered one of the most famous ransomware-as-a-service providers. These providers essentially work towards creating tools for other cyber-attacks to carry out ransomware attacks. A portion of the profits is received by their clients after a successful attack. However, in some cases, as seen in the Kaseya ransomware attack, the group worked alone and executed the attack by themselves.
The group has been a source of interest for cyber experts for around two years now. The team is said to consist of some of the most knowledgeable individuals who have also carried out ransomware attacks in the past that were almost as damaging as the Kaseya attack.
One example is the Colonial Pipeline attack which was executed by the Darkside gang back in May of 2021. The victim, Colonial Pipeline, is a major U.S. fuel supplier that had to shut down operations for close to a week leading to shortages of fuel at gas stations. Some researchers state that the manner in which the attack was executed is similar to that of the Kaseya attack. Meaning that there are chances the members of the Darkside gang were previously associated with REvil.
Previous offences linked to REvil
REvil now specializes in executing supply chain attacks which capitalizes on the vulnerabilities of IoT devices used in the supply chain. This type of attack occurred in 2019 when the group began an assault against TSM Consulting services. The company, which is a small Texas managed services provider handles the web services for its client companies. Similar to that of the Kaseya.
The attack affected 22 of the client companies in record time when the ransomware was found on the servers of the clients. Although attempts were made to stop the attack both by the federal government and the state, they were unsuccessful and had to pay the ransom.
The individuals that make up REvil are veterans in carrying out ransomware attacks as they also infiltrated JBS Foods a month before the Kaseya attack. JBS Foods happens to be one of the largest meat suppliers in the world. The attack meant that the company had to shut down 11 beef processing facilities in Australia and close to 26 poultry processing plants in the USA temporarily.
Therefore, it became clear from these two incidents that the group were only gearing up for their most cataclysmic event yet, the Kaseya Ransomware attack.
The outbreak of the attack
The moment the ransomware went live on July 2nd, 2021, victims claimed that their systems went down. The victims ranged from entire cities in Maryland, USA to kindergartens in New Zealand. The reason why the spread of the malware was so effective was that the hackers infiltrated the Kaseya IT management software. The same software is used by around 60 managed service providers and 1500 organizations.
According to experts, the malware was disguised as a regular update that the company usually rolls out. However, instead of fixing bugs in the software, it caused all several systems to shut down. REvil now held sole control over all the victim companies’ data. To make matters worse, the only way this data could retrieve and retain all the systems online was through a decryption code known only to the hackers. However, the price of this code was pegged at $70 million.
One critical action organization can take immediately towards winning the fight against such sophisticated cyber-attackers is understanding how they operate and prevent their every step. Only seasoned cybersecurity company and a team of experts can thwart these attacks before they take place. Cyber security should start at the board level as a priority and organizations who fail to account for this will be continually compromised.
For more details and support connect with our Cyber Security Service Provider Cybernetic Global Intelligence cyber security team to find out how you can secure your network from unauthorized access and keep your confidential data safe.
We are a leading Aussie cybersecurity firm with years of experience in providing outstanding cybersecurity services. You can call 1300 292 376 or email contact@cybernetic-gi.com for assistance.