A massive REvil ransomware attack affects multiple managed service providers and their clients through a reported Kaseya supply-chain attack.
Starting this afternoon, the REvil ransomware gang, aka Sodinokibi, targeted MSPs with thousands of customers, through what appears to be a Kaseya VSA supply-chain attack.
At this time, there eight known large MSPs that have been hit as part of this supply-chain attack.
Kaseya VSA is a cloud-based MSP platform that allows providers to perform patch management and client monitoring for their customers.
Huntress Labs' John Hammond has told BleepingComputer that all of the affected MSPs are using Kaseya VSA and that they have proof that their customers are being encrypted as well.
"We have 3 Huntress partners that are impacted with roughly 200 businesses encrypted," Hammond told BleepingComputer.
Kaseya issued a security advisory on their help desk site, warning all VSA customers to immediately shut down their VSA server to prevent the attack's spread while investigating.
"We are experiencing a potential attack against the VSA that has been limited to a small number of on-premise customers only as of 2:00 PM EDT today.
We are in the process of investigating the root cause of the incident with an abundance of caution but we recommend that you IMMEDIATELY shutdown your VSA server until you receive further notice from us.
Its critical that you do this immediately, because one of the first things the attacker does is shutoff administrative access to the VSA."
In a statement to BleepingComputer, Kaseya stated that they have shut down their SaaS servers and are working with other security firms to investigate the incident.
Most large-scale ransomware attacks are conducted late at night over the weekend when there is less staff to monitor the network.
As this attack happened midday on a Friday, the threat actors likely planned the time to coincide with the July 4th weekend in the USA, where it is common for staff to have a shorter workday before the holidays.
According to Hammond, Kaseya VSA will drop an agent.crt file to the c:\kworking folder, which is being distributed as an update called 'Kaseya VSA Agent Hot-fix.'
A PowerShell command is then launched to decode the agent.crt file using the legitimate Windows certutil.exe command and extract an agent.exe file to the same folder.PowerShell command to execute the REvil ransomware
The agent.exe is signed using a certificate from "PB03 TRANSPORT LTD" and includes an embedded 'MsMpEng.exe' and 'mpsvc.dll,' with the DLL being the REvil encryptor.Signed agent.exe file
The MsMPEng.exe is an older version of the legitimate Microsoft Defender executable used as a LOLBin to launch the DLL and encrypt the device through a trusted executable.The agent.exe extracting and launching embedded resources
Some of the samples add politically charged Windows Registry keys and configurations changes to infected computers.
For example, a sample [VirusTotal] installed by BleepingComputer adds the HKLM\SOFTWARE\Wow6432Node\BlackLivesMatter key to store configuration information from the attack.
Huntress continues to provide more info about the attack in a Reddit thread.
In a statement to BleepingComputer late Friday night, Kaseya said they found the vulnerability that was used during the attack and that a patch will be released as soon as possibly.
"While our investigation is ongoing, to date we believe that:
- Our SaaS customers were never at-risk. We expect to restore service to those customers once we have confirmed that they are not at risk, which we expect will be within the next 24 hours;
- Only a very small percentage of our customers were affected – currently estimated at fewer than 40 worldwide.
We believe that we have identified the source of the vulnerability and are preparing a patch to mitigate it for our on-premises customers that will be tested thoroughly. We will release that patch as quickly as possible to get our customers back up and running." - Kaseya.
BleepingComputer has sent followup questions regarding the vulnerability but has not heard back at this time.
A sample of the REvil ransomware used in one of these attacks has been shared with BleepingComputer. However, it is unknown if this is the sample used for every victim or if each MSP received its own ransom demand.
The ransomware gang is demanding a $5,000,000 ransom to receive a decryptor from one of the samples.Ransom demand
While REvil is known to steal data before deploying the ransomware and encrypting devices, it is unknown if the attackers exfiltrated any files.
MSPs are a high-value target for ransomware gangs as they offer an easy channel to infecting many companies through a single breach, yet the attacks require intimate knowledge about MSPs and the software they use.
REvil has an affiliate well versed in the technology used by MSPs as they have a long history of targeting these companies and the software commonly used by them.
In June 2019, an REvil affiliate targeted MSPs via Remote Desktop and then used their management software to push ransomware installers to all of the endpoints that they manage.
This affiliate is believed to have previously worked with GandCrab, who also successfully conducted attacks against MSPs in January 2019.
This is a developing story and will continue to be updated.
Update 7/1/21 10:30 PM EST: Added updated statement about vulnerability.