Early bird prices are coming to an end soon... ⏰ Grab your tickets before January 17

This article was published on July 5, 2021

REvil’s humungous $70M Kaseya ransomware attack, explained

It's one of the largest ransomware incidents in the last several years.


REvil’s humungous $70M Kaseya ransomware attack, explained Image by: Shutterstock

Last Friday was quite a doozy in the cybersecurity world: a Russia-linked REvil ransomware gang is believed to be behind a massive ‘supply chain’ attack that crippled hundreds of businesses across the US and elsewhere. Now, the group wants $70 million in exchange for a tool to decrypt the files they’ve locked on victims’ networks.

The Record’s Catalin Cimpanu reported that REvil has claimed responsibility for the attack and put out the call for the enormous ransom. If paid, it would make this the largest ransomware incident in history.

At the same time, US President Biden said on Sunday “we’re not certain” who was behind the attack, and he’s directed intelligence agencies to investigate.

How did this happen?

Last week’s attack targeted VSA, a piece of software developed by an American IT management software company called Kesaya. VSA is a tool used to remotely manage an organization’s servers and other hardware, as well as software and services.

The 💜 of EU tech

The latest rumblings from the EU tech scene, a story from our wise ol' founder Boris, and some questionable AI art. It's free, every week, in your inbox. Sign up now!

VSA is used by large corporations, as well as service providers who manage system administration for smaller companies that don’t have their own IT departments.

Kaseya VSA Network Toplogy View
Kesaya’s VSA software allows managed service providers to remotely oversee their clients’ IT networks.

Per The Record, malware analyst Mark Loman (from security software company Sophos) noted that a malicious VSA update hit multiple systems where this tool was being used. Then, it was deployed to all connected client computers and servers.

Subsequently, this is said to allow the REvil gang to disable local antivirus, and run a fake Windows Defender app which is actually the ransomware in disguise. The ransomware then does what it’s known for, and encrypts the files on the infected computer so they can’t be accessed without a key.

This is an example of what’s called a supply chain attack, where malicious code is injected into a trusted piece of software that affects other parts of the target’s network — or even a large number of targets that all use said software.

How bad is it?

Sophos noted on July 2 that “more than 70 managed service providers were impacted, resulting in more than 350 further impacted organizations.” The REvil gang noted on its dark web blog that more than a million systems were infected.

Among them is Coop, a Swedish supermarket chain. The company has temporarily closed some 800 of its stores across the country as a result of the attack which has impacted its cash registers.

Swedish supermarket chain Coop has had to temporarily close 800 of its stores as a result of the attack. Image via Coop
Swedish supermarket chain Coop has had to temporarily close 800 of its stores as a result of the attack. Image via Coop

This incident is believed to be one of the largest supply chain attacks of all time.

REvil is the name of a ransomware-as-a-service (RaaS) operation. Affiliated cybercriminals utilize REvil’s malware target companies, like managed service providers, lock their clients’ files, and demand a ransom. The developers behind REvil are believed to be in, from, or linked to Russia.

REvil has previously been used to swipe device schematics from Apple supplier Quanta Computer, and the actors behind the attack threatened to release the documents unless paid a ransom of $50 million. Strangely, they mysteriously removed references to that incident a week later. REvil was also responsible for a breach of Acer’s systems recently. And last month, when US-based meat supplier JBS was hit by REvil, the company paid out $11 million to recover access to its systems.

Can we fix it?

Kaseya’s first step to mitigate damage was to instruct its clients to take its VSA servers offline.

CEO Fred Voccola told CRN that the company is working to resolve the situation. It is currently pen-testing a patch for VSA, so it should be able to help its clients get back online soon. However, it’s not clear if that will also take care of the problem of locked files.

Voccola also said, “The technical teams are working with them [impacted MSPs] around the clock. We’re helping them from a legal perspective. We’re helping them deal with with the authorities, whether it’s federal or state. We’re helping them navigate with their insurance providers.”

What’s next?

It remains to be seen how Kesaya and its clients will navigate this. There’s the matter of the $70 million decryption tool that could solve the problem at hand. However, the US FBI has previously discouraged victims from paying up. Sage advice, considering that according to a Sophos report from this year, 92% of organizations that do pay are unable to recover all their data; most victims who cough up the cash are only able to partially recover the contents of their encrypted files.

Get the TNW newsletter

Get the most important tech news in your inbox each week.

Also tagged with