REvil’s Reign: Kaseya VSA Ransomware Supply Chain Attack Decoded

By Kath Kennelly, Associate Product Manager

Recently, thousands of Kaseya VSA servers were exploited using a malicious update payload. Bypassing access configurations, REvil leveraged zero-day authentication flaw and arbitrary command execution vulnerability to instill REvil’s malware. Variants of the malicious VSA software agent.exe, a popular executable file name, were distributed through a working path and executed REvil ransomware. Once carried out, the PowerShell command disabled Windows Defender from detecting malicious code execution found within the surface-level legitimate certificate file, agent.crt. From here, an SQL Command Injection onto Kaseya’s VSA server database spread the ransomware onto over a thousand victim’s remote managed and monitored devices.

 Huntress Labs, a company that provides threat detection and response services to Managed Service Providers (MSPs), has provided details on initial indicators of compromise for this attack, as seen in the image below:

Huntress Labs

This attack targeting a number of U.S. based managed service providers (MSPs) and global third parties and it’s not the first time we’ve seen REvil overpower the supply chain. REvil is the same ransomware-as-a-service (RaaS) group behind the JBS food processing hack acted a little over two months ago.

Hosted on a dark web domain, REvil’s Happy Blog acts as a platform for paying and negotiating ransomware bail. However, the cost of ransomware is only escalating. According to Palo Alto Networks Threat Report, the average payment following a ransomware attack in rose 171% from $115,123 to $312,493 in 2020. With a promise for a “Universal Decryptor” for Kaseya victims, in exchange for a high price, affected parties are scrambling to respond. Beyond the costs of buying back resources, the damage has been done. Companies lose weeks, if not months, of operational downtime.   Mark Loman Twitter Revil

Image Source: Mark Loman (Twitter)

Luckily there are strategies to avoid the mess that is ransomware and maintain the security of your company.

Anticipating Ransomware Before It Hits: Harden and Detect 

When it comes to protection against ransomware, the “best practices” start with anticipation. With a growing tactic of targeting zero-day vulnerabilities, developers cannot prepare and patch security threats ahead of time. Thus, by enacting prepare, harden, and detect methodology toward preventing ransomware from accessing critical business functionalities, companies and their third parties may avoid paying the ransomware toll.

Prepare For the Worst

During the attack, they gathered and encrypted data spanning from certificates, passports, national ID cards, to even non-disclosure agreements. Thus, recovery processes and backups must be implemented and tested with critical stakeholders to minimize the financial, operational, and reputational damage of ransomware attacks. Furthermore, hosting encrypted backups securely offline can remove the risk of threat actors targeting on-site backups, leaving victims without a plan.  

Protect Third Parties as You Would Your Own Company 

The responsibility of mitigating risk is not limited to one company alone. As companies continue to rely on third parties and vendors to provide services and further business goals, they absorb the risks of the supply chain. No matter how cutting edge your security landscape is, the weakest link in the supply chain is a threat actor’s keys to the kingdom. By enacting a proactive, preventative approach to third-party risk management, companies can detect and manage risks by treating third parties as an open attack vector needing to be patched.

With this in mind, companies and their third parties need simple tools to identify complex security gaps and maintain threat intelligence. CyberGRX’s platform provides validated assessments that immediately identify third parties that pose the highest risk to your business. In addition, CyberGRX’s Kaseya Supply Chain Attack Threat Profile identified 32 primary controls throughout 12 control groups that would have been needed to detect, prevent, and mitigate the threat REvil’s ransomware.

The Threat Profile: REvil Ransomware – Kaseya Supply Chain Attack is now available in the CyberGRX Framework Mapper tool. This allows a company to pull a report for individual third parties to view their coverage these identified controls that have specifically been identified as critical to REvil ransomware protection.

Kath Kennelly

Associate Product Manager

Join 10,000+ risk professionals who subscribe to the CyberGRX Newsletter