Author: Nick Sundvall
1. Executive Summary
On 2 July, the threat actors behind REvil, also known as Sodinokibi, launched a massive ransomware attack targeting users of Kaseya’s remote monitoring and management service, VSA. In this supply chain attack, the actors exploited a zero-day vulnerability in Kaseya’s software to deploy ransomware on nearly 1500 company networks.1 Kaseya stated that the attack compromised only customers of the on-premises version of VSA and that there is no evidence that it compromised SaaS customers.
After the attack, the actors stated the following on their blog: “On Friday (02.07.2021) we launched an attack on MSP providers. More than a million systems were infected. If anyone wants to negotiate about universal decryptor – our price is 70,000,000$ in BTC and we will publish publicly decryptor that decrypts files of all victims, so everyone will be able to recover from attack in less than an hour.”2
2. REvil/Sodinokibi Background
In June 2019, we published a report3 on Sodinokibi/REvil. At the time, it was a relatively new ransomware-as-a-service (RaaS), and it appeared to be one of the ransomware families filling a void left by the discontinuation of the popular ransomware Gandcrab. REvil was first identified in the wild on 17 April 2019, when threat actors exploited a vulnerability in Oracle WebLogic to install Sodinokibi on susceptible web servers.2 Like Gandcrab, REvil uses an affiliate revenue system where threat actors sign up as affiliates, start using the ransomware for no initial fee, and share a percentage of their profits.
As we noted in 2019, the fact that REvil is freely available means its distribution methods vary from one threat actor to another. Even in 2019, REvil affiliates had distributed the ransomware by compromising MSPs, distributing malicious spam emails, and hacking websites that host downloadable executables to replace the legitimate software with copies of REvil.4
3. Kaseya Attack Analysis
3.1. Malicious Software Update
Sophos reported that the actors delivered the ransomware to VSA servers via a malicious update, and the update employed a zero-day exploit of the server platform to deploy the ransomware to the managed Windows machines. According to Sophos, this approach gave the threat actors the advantages of 1) compromising the downstream companies by abusing the trusted VSA service, and 2) avoiding being stopped by antivirus software (AV), because VSA requires that several folders as well as the Kaseya executables be excluded from AV monitoring.
3.2. Ransomware Deployment
Upon receiving the malicious update, the VSA agent wrote an encoded malicious payload into its working directory, C:\KWORKING\. The agent then ran several Windows shell commands, which repeatedly pinged localhost, acted as a sleep function, and delayed the upcoming commands for approximately 90 minutes.
The agent then ran a PowerShell command that disabled Microsoft Defender’s anti-malware and anti-ransomware protections. At this point, the agent made a copy of certutil.exe, the Windows certificate utility that can download and decode content, and used the executable to decode the previously downloaded payload.
Sophos reported that the payload had a valid certificate but that it “may be stolen or fraudulently obtained” and that the payload was compiled a day before the attack, on 1 July. After the agent decoded the payload, the final shell command launched the malicious payload and the ransomware began to deploy. The report noted that due to mass deployment, the attack made no effort to exfiltrate any data.
4. Prevention and Mitigation
Kaseya recommends taking all on-premises VSA servers offline until further notice. Also, Kaseya has stated that they are actively working on a patch and hope to deploy it by 7 July. Finally, Kaseya has released a compromise detection tool that will help determine whether any IoCs are present on a system.5
Infoblox recommends backing up data and systems regularly to minimize the potential impact of ransomware in general, as well as practicing restoring from backups. Ideally, backups should be stored off the network.
Also, beware of scams looking to take advantage of this attack. Malwarebytes has already reported on a malspam phishing campaign that allegedly delivers a patch for the vulnerability exploited by the REvil threat actors.6 In reality, the email attachment drops CobaltStrike, a legitimate penetration-testing tool that threat actors abuse to deploy a program named Beacon. Beacon enables them to perform advanced post-exploitation functions, such as command execution, key logging, file transfer, privilege escalation, port scanning, and lateral movement.
5. Indicators of Compromise
|Executable vulnerable to DLL sideload|
REvil dropper used in Kaseya exploit
REvil ransomware DLL
Domains Found In REvil Config File