REvil’s Reign: Kaseya VSA Ransomware Supply Chain Attack Decoded

6 minute read

July 2021

by cybergrx

Recently, thousands of Kaseya VSA servers were exploited using a malicious update payload. Bypassing access configurations, REvil leveraged zero-day authentication flaw and arbitrary command execution vulnerability to instill REvil’s malware. Variants of the malicious VSA software agent.exe, a popular executable file name, were distributed through a working path and executed REvil ransomware. 

Once carried out, the PowerShell command disabled Windows Defender from detecting malicious code execution found within the surface-level legitimate certificate file, agent.crt. From here, an SQL Command Injection onto Kaseya’s VSA server database spread the ransomware onto over a thousand victims’ remote managed and monitored devices.

Huntress Labs, a company that provides threat detection and response services to Managed Service Providers (MSPs), has provided details on initial indicators of compromise for the Kaseya ransomware attack, as seen in the image below:

This Kaseya ransomware VSA attack targeted a number of U.S. based managed service providers (MSPs) and global third parties, and it’s not the first time we’ve seen REvil overpower the supply chain. REvil is the same ransomware-as-a-service (RaaS) group behind the JBS food processing hack enacted a little over two months ago.

Hosted on a dark web domain, REvil’s Happy Blog acts as a platform for paying and negotiating ransomware bail. However, the cost of ransomware is only escalating. According to Palo Alto Networks Threat Report, the average payment following a ransomware attack rose 171% from $115,123 to $312,493 in 2020. With a promise for a “Universal Decryptor” for Kaseya victims, in exchange for a high price, affected parties are scrambling to respond. Beyond the costs of buying back resources, the damage has been done. Companies lose weeks, if not months, of operational downtime. 

So in light of the Kaseya ransomware attack, we’re diving into what ransomware is and how companies like yours can act proactively to avoid and mitigate these malicious attacks.

What Is Ransomware?

Ransomware is malicious software that infiltrates your system and “kidnaps” sensitive data or prevents systems from working properly until a ransom is paid. While there are many ways that ransomware infects systems, some of the most common include:

  • Unsecure sites
  • Phishing emails (or text messages)
  • Downloading infected files or software masquerading as something else
  • Social Engineering
  • Systems and software that are not up-to-date

While situations like the Kaseya ransomware attack can be devastating to any organization, those that have the most to lose are:

  • Schools: They have sensitive and confidential data for thousands of students.
  • Healthcare organizations: They hold private medical and identification data for the patients in their care. Moreover, an attack could have additional repercussions because their systems include critical life-saving equipment and information on patient medications and allergies.
  • Utility and energy companies: They affect living conditions for hundreds of thousands of households.
  • Government organizations: They have sensitive personal information as well as security concerns that can impact entire countries.

Ransomware is also troublesome to businesses of all sizes, particularly those that have apps, hold confidential information, or have a login process for their customers. In addition to the risks for their client data, a ransomware attack is a PR nightmare that erodes customers’ trust in your company. While it can be daunting to think of the months needed to fully resume normal operations after a ransomware attack, businesses must painstakingly rebuild trust.

Luckily there are strategies to avoid the mess that is ransomware and maintain the security of your company.

How to Prevent Ransomware Attacks

As we’ll explain below, the best strategy for preventing situations like the Kaseya VSA Ransomware attack is to anticipate problems and prepare for worst-case scenarios. However, you must also have a cybersecurity risk management protocol in place that minimizes opportunity for ransomware and other cybersecurity threats to gain a foothold in your company. Let’s dive into some key concepts to consider:

Data Backup Plans

Back up your data on a regular basis. While cloud backups are valuable, know that these can be vulnerable to ransomware as well. It’s wise to keep hard copies of your backups in a secure location to ensure that should you fall victim to cybersecurity threats like the Kaseya VSA Ransomware attack, you can recover more easily.

Keep Systems and Apps Up-to-Date

As developers locate new vulnerabilities, they regularly release and deploy security patches to minimize cybersecurity risk. This allows you to stay one step ahead of bad actors like REvil who was behind the Kaseya Ransomware attack. Organizations that are slow to update their software or platform remain vulnerable to attacks on legacy systems.

Whitelist Authorized Applications

This approach ensures that your team uses only vetted and secure applications. By whitelisting specific applications, you can control what is available on your systems and minimize the risk of social engineering or downloading infected applications.

Implement Email Best Practices

In addition to implementing secure email tactics, including DKIM authentication and encryption, you need to train your team. Make sure they understand best practices for email, including how to be aware of suspicious links, attachments, or senders.

Offer Regular Cybersecurity Awareness Training Opportunities

In addition to ensuring your system is technically secure, make sure your employees understand best security practices. Creating security-savvy teams involves helping them recognize and avoid phishing or social engineering attempts. Additionally, be sure to help them understand best practices for safe web browsing, VPN usage, and creating secure passwords.

What Are Zero-Day Vulnerabilities?

The Kaseya Ransomware attack happened when REvil exploited a zero-day vulnerability. But what are zero-day vulnerabilities, and how do they differ from other types of ransomware attacks?

Zero-day vulnerabilities are problems or flaws in your system that are impossible to detect and plan for because no one knows they exist. So when bad actors like REvil find these flaws before developers, they can gain a back door into your system and infect it.

It’s imperative to have proactive security protocols in place to search for problems before they are known. By doing so, you can create and deploy security patches that close the loop and prevent ransomware from infecting your business. In the end, true “best practices” start with anticipation.

Anticipating Ransomware Before It Hits: Harden and Detect 

With a growing tactic of targeting zero-day vulnerabilities, developers cannot prepare and patch security threats ahead of time. Thus, by enacting prepare, harden, and detect methodology toward preventing ransomware from accessing critical business functionalities, companies and their third parties may avoid paying the ransomware toll.

Prepare For the Worst

During the attack, they gathered and encrypted data spanning from certificates, passports, national ID cards, to even non-disclosure agreements. Thus, recovery processes and backups must be implemented and tested with critical stakeholders to minimize the financial, operational, and reputational damage of ransomware attacks. Furthermore, hosting encrypted backups securely offline can remove the risk of threat actors targeting on-site backups, leaving victims without a plan.  

Protect Third Parties as You Would Your Own Company 

The responsibility of mitigating risk is not limited to one company alone. As companies continue to rely on third parties and vendors to provide services and further business goals, they absorb the risks of the supply chain. No matter how cutting edge your security landscape is, the weakest link in the supply chain is a threat actor’s keys to the kingdom. By enacting a proactive, preventative approach to third-party risk management, companies can detect and manage risks by treating third parties as an open attack vector needing to be patched.

With this in mind, companies and their third parties need simple tools to identify complex security gaps and maintain threat intelligence. CyberGRX’s platform provides validated assessments that immediately identify third parties that pose the highest risk to your business. In addition, CyberGRX’s Kaseya Supply Chain Attack Threat Profile identified 32 primary controls throughout 12 control groups that would have been needed to detect, prevent, and mitigate the threat of REvil’s ransomware.

The Threat Profile: REvil Ransomware – Kaseya Supply Chain Attack is now available in the CyberGRX Framework Mapper tool. This allows a company to pull a report for individual third parties to view their coverage of these identified controls that have specifically been identified as critical to REvil ransomware protection.

CyberGRX excels at helping companies manage cyber risk and cyber reputations, including preventing and mitigating situations like the Kaseya ransomware attack. Schedule a demo to see how we can help your company.

Related Articles

About Us

ProcessUnity is a leading provider of cloud-based applications for risk and compliance management. The company’s software as a service (SaaS) platform gives organizations the control to assess, measure, and mitigate risk and to ensure the optimal performance of key business processes. ProcessUnity’s flagship solution, ProcessUnity Vendor Risk Management, protects companies and their brands by reducing risks from third-party vendors and suppliers. ProcessUnity helps customers effectively and efficiently assess and monitor both new and existing vendors – from initial due diligence and onboarding through termination. Headquartered outside of Boston, Massachusetts, ProcessUnity is used by the world’s leading financial service firms and commercial enterprises. For more information, visit www.processunity.com.