Cyber Threat Advisory: Kaseya REvil Ransomware Attack

Author: Nick Sundvall

TLP: WHITE

      1. Executive Summary

On 2 July, the threat actors behind REvil, also known as Sodinokibi, launched a massive ransomware attack targeting users of Kaseya’s remote monitoring and management service, VSA. In this supply chain attack, the actors exploited a zero-day vulnerability in Kaseya’s software to deploy ransomware on nearly 1500 company networks.¹ Kaseya stated that the attack compromised only customers of the on-premises version of VSA and that there is no evidence that it compromised SaaS customers.

After the attack, the actors stated the following on their blog: “On Friday (02.07.2021) we launched an attack on MSP providers. More than a million systems were infected. If anyone wants to negotiate about universal decryptor – our price is 70,000,000$ in BTC and we will publish publicly decryptor that decrypts files of all victims, so everyone will be able to recover from attack in less than an hour.”²

      2. REvil/Sodinokibi Background

In June 2019, we published a report³ on Sodinokibi/REvil. At the time, it was a relatively new ransomware-as-a-service (RaaS), and it appeared to be one of the ransomware families filling a void left by the discontinuation of the popular ransomware Gandcrab. REvil was first identified in the wild on 17 April 2019, when threat actors exploited a vulnerability in Oracle WebLogic to install Sodinokibi on susceptible web servers.² Like Gandcrab, REvil uses an affiliate revenue system where threat actors sign up as affiliates, start using the ransomware for no initial fee, and share a percentage of their profits.

As we noted in 2019, the fact that REvil is freely available means its distribution methods vary from one  threat actor to another. Even in 2019, REvil affiliates had distributed the ransomware by compromising MSPs, distributing malicious spam emails, and hacking websites that host downloadable executables to replace the legitimate software with copies of REvil.⁴

      3. Kaseya Attack Analysis

                 3.1. Malicious Software Update

Sophos reported that the actors delivered the ransomware to VSA servers via a malicious update, and the update employed a zero-day exploit of the server platform to deploy the ransomware to the managed Windows machines. According to Sophos, this approach gave the threat actors the advantages of 1) compromising the downstream companies by abusing the trusted VSA service, and 2) avoiding being stopped by antivirus software (AV), because VSA requires that several folders as well as the Kaseya executables be excluded from AV monitoring.

                 3.2. Ransomware Deployment

Upon receiving the malicious update, the VSA agent wrote an encoded malicious payload into its working directory, C:\KWORKING\. The agent then ran several Windows shell commands, which repeatedly pinged localhost, acted as a sleep function, and delayed the upcoming commands for approximately 90 minutes.

The agent then ran a PowerShell command that disabled Microsoft Defender’s anti-malware and anti-ransomware protections. At this point, the agent made a copy of certutil.exe, the Windows certificate utility that can download and decode content, and used the executable to decode the previously downloaded payload.

Sophos reported that the payload had a valid certificate but that it “may be stolen or fraudulently obtained” and that the payload was compiled a day before the attack, on 1 July. After the agent decoded the payload, the final shell command launched the malicious payload and the ransomware began to deploy. The report noted that due to mass deployment, the attack made no effort to exfiltrate any data.

      4. Prevention and Mitigation

Kaseya recommends taking all on-premises VSA servers offline until further notice. Also, Kaseya has stated that they are actively working on a patch and hope to deploy it by 7 July. Finally, Kaseya has released a compromise detection tool that will help determine whether any IoCs are present on a system.⁵

Infoblox recommends backing up data and systems regularly to minimize the potential impact of ransomware in general, as well as practicing restoring from backups. Ideally, backups should be stored off the network.

Also, beware of scams looking to take advantage of this attack. Malwarebytes has already reported on a malspam phishing campaign that allegedly delivers a patch for the vulnerability exploited by the REvil threat actors.⁶ In reality, the email attachment drops CobaltStrike, a legitimate penetration-testing tool that threat actors abuse to deploy a program named Beacon. Beacon enables them to perform advanced post-exploitation functions, such as command execution, key logging, file transfer, privilege escalation, port scanning, and lateral movement.

      5. Indicators of Compromise

Indicator	Description
C:\windows\cert.exe	Copied certutil
C:\windows\msmpeng.exe	Executable vulnerable to DLL sideload
C:\kworking\agent.crt	REvil dropper used in Kaseya exploit
C:\windows\mpsvc.dll	REvil ransomware DLL
33bc14d231a4afaa18f06513766d5f69d8b88f1e697cd127d24fb4b72ad44c7a d55f983c994caa160ec63a59f6b4250fe67fb3e8c43a388aec60a4a6978e9f1 8dd620d9aeb35960bb766458c8890ede987c33d239cf730f93fe49d90ae759dd e2a24ab94f865caeacdf2c3ad015f31f23008ac6db8312c2cbfb32e4a5466ea2 50416e50797cf88a48d086e718c003e2d10c3847b1a251669d6f10f8d3546e03	SHA256s
101gowrie[.]com 123vrachi[.]ru 12starhd[.]online 1kbk[.]com[.]ua 1team[.]es 321play[.]com[.]hk 35-40konkatsu[.]net 365questions[.]org 4net[.]guru 4youbeautysalon[.]com 8449nohate[.]org andersongilmour[.]co[.]uk asiluxury[.]com bierensgebakkramen[.]nl blgr[.]be blossombeyond50[.]com bxdf[.]info c2e-poitiers[.]com candyhouseusa[.]com cerebralforce[.]net cleliaekiko[.]online conexa4papers[.]trade copystar[.]co[.]uk cursosgratuitosnainternet[.]com daklesa[.]de danielblum[.]info dubnew[.]com eglectonk[.]online facettenreich27[.]de fannmedias[.]com faroairporttransfers[.]net filmstreamingvfcomplet[.]be foryourhealth[.]live fotoscondron[.]com gmto[.]fr gonzalezfornes[.]es hairstylesnow[.]site homng[.]net importardechina[.]info iqbalscientific[.]com kaotikkustomz[.]com liliesandbeauties[.]org milestoneshows[.]com mindpackstudios[.]com myhostcloud[.]com ncuccr[.]org pasvenska[.]se rimborsobancario[.]net simoneblum[.]de smartypractice[.]com southeasternacademyofprosthodontics[.]org streamerzradio1[.]site summitmarketingstrategies[.]com sw1m[.]ru tanzschule-kieber[.]de thee[.]network thomasvicino[.]com tonelektro[.]nl	Domains Found In REvil Config File

Endnotes

1. https://helpdesk.kaseya.com/hc/en-gb/articles/4403440684689
2. https://news.sophos.com/en-us/2021/07/04/independence-day-revil-uses-supply-chain-exploit-to-attack-hundreds-of-businesses/
3. https://insights.infoblox.com/threat-intelligence-reports/threat-intelligence–21
4. https://www.bleepingcomputer.com/news/security/sodinokibi-ransomware-spreads-wide-via-hacked-msps-sites-and-spam/
5. https://kaseya.app.box.com/s/p9b712dcwfsnhuq2jmx31ibsuef6xict
6. https://twitter.com/MBThreatIntel/status/1412518446013812737/