Generally, attacks of ransomware are directed at selected and unique targets. But last weekend, the group REvil (or Sodinokibi) managed to claim hundreds of victims, perhaps thousands, in various parts of the world. To do this, hackers exploited a vulnerability in a system from the Kaseya, a company that provides IT services to various organizations.
Preliminary information suggests that around 1,000 companies have been affected by ransomware, but that number could be much higher. Not surprisingly, this is considered one of the biggest attacks ever carried out with this type of malware — if not the biggest.
If you work in IT, you’ve probably heard of Kaseya. The company specializes in systems for managing networks or technology infrastructure. These tools are used primarily by managed service providers (MSP), that is, companies that control IT resources for other companies.
How the attack was conducted
If Kaseya offers systems to providers that provide IT services to other companies, that means that if one of their tools is compromised with security, then all organizations that use that feature are likely to be vulnerable, right? Right. That’s how REvil managed to take so many victims in such a short time.
The group exploited a zero-day failure in Kaseya VSA, system for remote monitoring or management. Zero-day failure is one that is exploited before the developer releases a fix. The irony of this story is that Kaseya was already providing a solution to the problem, but the attack was carried out before this work was completed.
Discovered by security researcher Wietse Boonstra of the Dutch Institute for Vulnerability Disclosure (DIVD) and identified as CVE-2021-30116, the flaw in the Kaseya VSA was exploited last Friday (2).
As the issue involves the system’s update mechanism, attackers were able to quickly spread the ransomware to Kaseya VSA customers. To do this, the group used the strategy of inserting malicious code into legitimate software which, in turn, was distributed by the update mechanism.
It is a supply chain attack. In this modality, the threat contaminates legitimate software that is later distributed through the official channels of the developer or supplier.
In the attack on Kaseya, there was an aggravating factor: the VSA folders on Windows are configured in such a way as to make security tools ignore their contents. This allowed the malware to run locally and then activate an outdated version of the Windows Defender anti-malware service to get through this tool unharmed.
From there, the ransomware found the free way to encrypt files on the infected computers and thus complete the attack.
Redemption of $70 million
When REvil or any other group of ransomware makes a victim, usually the ransom requested has its value based on the company’s assessment of its ability to pay. But the recent attack broke the pattern. The number of victims is so large that REvil has created a pricing policy, so to speak.
The investigations indicate that, initially, the group asked for redemptions in the amount of US$ 5 million for companies that act as MSP and between US$ 40 thousand and US$ 50 thousand for their clients.
However, records of some deals show that, in fact, each ransom request between $40,000 and $50,000 concerns a single encryption extension.
The problem is that by encrypting files, attackers can use multiple extensions in the same attack. O BleepingComputer points out that one of the victims found more than ten extensions on their systems, prompting the attackers to charge a $500,000 ransom.
Later, a post published by REvil on a dark web blog shows that the group is willing to release a universal tool capable of recovering all victims’ data for a payment of $70 million in bitcoins.
This is the highest redemption value ever requested by REvil so far.
US president promises to investigate
With so many victims, the damage caused by this attack is enormous. Just to give you an example, the newspaper The New York Times reports that around 800 Coop supermarket chain stores had to be closed in Sweden because of ransomware.
In its blog, REvil claims that more than a million systems have been infected, although this number has not been proven.
The matter is so serious that Joe Biden, president of the United States, ordered the country’s intelligence agencies to investigate the attack to identify the culprits.
It will not be an easy task. REvil works with the model of ransomware as a service. This means that the group recruits “affiliates” to carry out attacks with their ransomware and, if successful, takes a percentage of the ransoms they earn.
This approach not only makes it difficult to identify those responsible for the attacks, it also increases the malware’s reach.
Among the most recent victims of REvil is the Brazilian JBS, which paid the equivalent of US$ 11 million in cryptocurrency as a ransom so as not to have internal data leaked by the attackers.
Everything indicates that Grupo Fleury was also a victim of REvil, although the company did not recognize the attack.
With information: Wired, The Verge, BleepingComputer, Reuters, The Washington Post, The New York Times.