Kaseya VSA ransomware attack (2021): Difference between revisions

From International cyber law: interactive toolkit
Jump to navigation Jump to search
No edit summary
(small edits following Dominique's update)
 
(2 intermediate revisions by 2 users not shown)
Line 1: Line 1:
''This page is under construction.''
 
 
 
{| class="wikitable"
 
{| class="wikitable"
 
! scope="row"|Date
 
! scope="row"|Date
|The attack took place on 2nd July 2021.<ref>RBS, [https://www.riskbasedsecurity.com/2021/07/12/the-kaseya-attack-everything-to-know/ The Kaseya Attack: Everything to Know], Risk Based Security (12 July 2021)</ref>
+
|The attack took place on 2nd July 2021.<ref>RBS, [https://www.riskbasedsecurity.com/2021/07/12/the-kaseya-attack-everything-to-know/ ‘The Kaseya Attack: Everything to Know’], Risk Based Security (12 July 2021)</ref>
 
|-
 
|-
 
! scope="row"|Suspected actor
 
! scope="row"|Suspected actor
|REvil (i.e., Ransomware Evil<ref>Lucian Constantin, [https://www.csoonline.com/article/3597298/revil-ransomware-explained-a-widespread-extortion-operation.html REvil ransomware explained: A widespread extortion operation], CSO Online (17 November 2020)</ref>) group, which is also known as Sodinokibi.<ref>Cahrlie Osborn, [https://www.zdnet.com/article/updated-kaseya-ransomware-attack-faq-what-we-know-now/ Updated Kaseya ransomware attack FAQ:What we know now, ZDNet], (23 July 2021)</ref> It is a Russian speaking and Russia-based Ransomware as-a-service (RaaS) gang. Moreover, according to Lawfare, "It really is the McDonald's of the criminal world with a very high profile".<ref name=":0">Nicolas Weaver, [https://www.lawfareblog.com/what-happened-kaseya-vsa-incident What Happened in the Kesaya VSA Incident?],  Lawfare ( 4 July 2021) </ref>
+
|REvil (i.e., Ransomware Evil<ref>Lucian Constantin, [https://www.csoonline.com/article/3597298/revil-ransomware-explained-a-widespread-extortion-operation.html ‘REvil ransomware explained: A widespread extortion operation’], CSO Online (17 November 2020)</ref>) group, which is also known as Sodinokibi.<ref>Cahrlie Osborn, [https://www.zdnet.com/article/updated-kaseya-ransomware-attack-faq-what-we-know-now/ ‘Updated Kaseya ransomware attack FAQ:What we know now’], ZDNet, (23 July 2021)</ref> It is a Russian speaking and Russia-based Ransomware as-a-service (RaaS) gang. Moreover, according to Lawfare, "It really is the McDonald's of the criminal world with a very high profile".<ref name=":0">Nicolas Weaver, [https://www.lawfareblog.com/what-happened-kaseya-vsa-incident ‘What Happened in the Kaseya VSA Incident?], Lawfare (4 July 2021) </ref>
 
|-
 
|-
 
! scope="row"|Target
 
! scope="row"|Target
Line 12: Line 10:
 
|-
 
|-
 
! scope="row"|Target systems
 
! scope="row"|Target systems
|In general, the target systems were using Virtual System Administrator (VSA) software. The reason why Kaseya VSA was an attractive target is that this software is used by managed service providers (MSP),<ref name=":0" /> which includes thousands of small businesses.<ref>Davey Winder, [https://www.forbes.com/sites/daveywinder/2021/07/05/70-million-demanded-as-revil-ransomware-attackers-claim-1-million-systems-hit/?sh=5d6d6c2957c0 $70 Million Demanded As REvil Ransomware Attackers Claim 1 Million Systems Hit], Forbes (5 July 2021)</ref>
+
|In general, the target systems were using Virtual System Administrator (VSA) software. The reason why Kaseya VSA was an attractive target is that this software is used by managed service providers (MSP),<ref name=":0" /> which includes thousands of small businesses.<ref>Davey Winder, [https://www.forbes.com/sites/daveywinder/2021/07/05/70-million-demanded-as-revil-ransomware-attackers-claim-1-million-systems-hit/?sh=5d6d6c2957c0 $70 Million Demanded As REvil Ransomware Attackers Claim 1 Million Systems Hit’], Forbes (5 July 2021)</ref>
 
|-
 
|-
 
! scope="row"|Method
 
! scope="row"|Method
|The attack was first detected as a supply chain attack. This idea was supported by US Cybersecurity and Infrastructure Security Agency and the FBI.<ref>[https://us-cert.cisa.gov/ncas/current-activity/2021/07/04/cisa-fbi-guidance-msps-and-their-customers-affected-kaseya-vsa CISA-FBI Guidance for MSPs and their Customers Affected by the Kaseya VSA Supply-Chain Ransomware Attack] (4 July 2021)</ref> Nevertheless, a question arose later whether Kaseya was not facing a more conventional exploit attack targeting Kaseya VSA,<ref>RBS, [https://www.riskbasedsecurity.com/2021/07/14/is-the-kaseya-hack-actually-a-supply-chain-attack/ Is the Kaseya Hack Actually a Supply Chain Attack?, Risk Based Security] (14 July 2021)</ref> <ref name=":0" /> as it was not clear if the aimed upstream (VSA) was targeted for purpose of scaling downstream exploitation or not. Nevertheless, the conclusion was that it was a supply chain attack.<ref>Matt Howard, [https://blog.sonatype.com/kaseya-ransomware-supply-chain Kaseya Ransomware: a Software Supply Chain Attack or Not?], sonatype (6 July 2021)</ref>
+
|The attack was first detected as a supply chain attack. This idea was supported by US Cybersecurity and Infrastructure Security Agency and the FBI.<ref>[https://us-cert.cisa.gov/ncas/current-activity/2021/07/04/cisa-fbi-guidance-msps-and-their-customers-affected-kaseya-vsa ‘CISA-FBI Guidance for MSPs and their Customers Affected by the Kaseya VSA Supply-Chain Ransomware Attack’] (4 July 2021)</ref> Nevertheless, a question arose later whether Kaseya was not facing a more conventional exploit attack targeting Kaseya VSA,<ref name=":0" /><ref>RBS, [https://www.riskbasedsecurity.com/2021/07/14/is-the-kaseya-hack-actually-a-supply-chain-attack/ ‘Is the Kaseya Hack Actually a Supply Chain Attack?, Risk Based Security’] (14 July 2021)</ref> as it was not clear if the aimed upstream (VSA) was targeted for purpose of scaling downstream exploitation or not. Nevertheless, the conclusion was that it was a supply chain attack.<ref>Matt Howard, [https://blog.sonatype.com/kaseya-ransomware-supply-chain ‘Kaseya Ransomware: a Software Supply Chain Attack or Not?], sonatype (6 July 2021)</ref>
 
|-
 
|-
 
! scope="row"|Purpose
 
! scope="row"|Purpose
|Primarily causing economic loss to Kaseya and its customers.<ref>Alex Marquardt, [https://edition.cnn.com/2021/07/05/business/ransomware-group-payment-kaseya/index.html Ransomware group demands $70 million for Kaseya attack], CNN (5 July 2021)</ref> REvil in a post on their leak site announced that the universal decryption key was worth $70 million in BTC. This amount was the highest ransom demand to date.<ref>Ionut Ilascu, [https://www.bleepingcomputer.com/news/security/revil-ransomware-asks-70-million-to-decrypt-all-kaseya-attack-victims/ REvil ransomware asks $70 million to decrypt all Kaseya attack victims, BleepingComputer] (5 July 2021)</ref>
+
|Primarily causing economic loss to Kaseya and its customers.<ref>Alex Marquardt, [https://edition.cnn.com/2021/07/05/business/ransomware-group-payment-kaseya/index.html ‘Ransomware group demands $70 million for Kaseya attack’], CNN (5 July 2021)</ref> REvil in a post on their leak site announced that the universal decryption key was worth $70 million in BTC. This amount was the highest ransom demand to date.<ref>Ionut Ilascu, [https://www.bleepingcomputer.com/news/security/revil-ransomware-asks-70-million-to-decrypt-all-kaseya-attack-victims/ ‘REvil ransomware asks $70 million to decrypt all Kaseya attack victims’], BleepingComputer (5 July 2021)</ref>
 
|-
 
|-
 
! scope="row"|Result
 
! scope="row"|Result
|According to Reuters, between 800 and 1500 businesses worldwide were affected by the attack.<ref>Raphael Satter, [https://www.reuters.com/technology/hackers-demand-70-million-liberate-data-held-by-companies-hit-mass-cyberattack-2021-07-05/ Up to 1,500 businesses affected by ransomware attack, U.S. firm’s CEO says], Reuters ( 6 July 2021)</ref> One of the victims is also Coop, a Swedish chain of supermarkets, which was forced to close over more than half of its stores in Sweden.<ref>Joe Tidy, [https://www.bbc.com/news/technology-57707530 Swedish Coop supermarkets shut due to US ransomware cyber-attack,] BBC (3 July 2021)</ref> Moreover, the ransomware attack also hit 11 schools in New Zealand.<ref>[https://www.nzherald.co.nz/nz/worldwide-ransomware-attack-st-peters-college-and-10-other-schools-hit-by-us-cyber-attack/JACHAD3OPGUOF7ZIF4PJXDPICA/ Worldwide ransomware attack: St Peter’s College and 10 other schools hit by US cyber attack],  NZHerald (4 July 2021)</ref>
+
|According to Reuters, between 800 and 1500 businesses worldwide were affected by the attack.<ref>Raphael Satter, [https://www.reuters.com/technology/hackers-demand-70-million-liberate-data-held-by-companies-hit-mass-cyberattack-2021-07-05/ ‘Up to 1,500 businesses affected by ransomware attack, U.S. firm’s CEO says’], Reuters ( 6 July 2021)</ref> One of the victims is also Coop, a Swedish chain of supermarkets, which was forced to close over more than half of its stores in Sweden.<ref>Joe Tidy, [https://www.bbc.com/news/technology-57707530 ‘Swedish Coop supermarkets shut due to US ransomware cyber-attack’], BBC (3 July 2021)</ref> Moreover, the ransomware attack also hit 11 schools in New Zealand.<ref>[https://www.nzherald.co.nz/nz/worldwide-ransomware-attack-st-peters-college-and-10-other-schools-hit-by-us-cyber-attack/JACHAD3OPGUOF7ZIF4PJXDPICA/ ‘Worldwide ransomware attack: St Peter’s College and 10 other schools hit by US cyber attack’], NZHerald (4 July 2021)</ref>
 
|-
 
|-
 
! scope="row"|Aftermath
 
! scope="row"|Aftermath
|On 23 July, Kaseya announced it had received a universal decryptor tool for the REvil-encrypted files from an unnamed "trusted third party" and was helping victims restore their files.<ref>Joe Tidy, [https://www.bbc.com/news/technology-57946117 Ransomware key to unlock customer data from REvil attack], BBC (23 July 2021)</ref>
+
|On 23 July, Kaseya announced it had received a universal decryptor tool for the REvil-encrypted files from an unnamed "trusted third party" and was helping victims restore their files.<ref>Joe Tidy, [https://www.bbc.com/news/technology-57946117 ‘Ransomware key to unlock customer data from REvil attack’], BBC (23 July 2021)</ref>
It is interesting that this was a universal decryptor key. This situation was explained by REvil on 9 September in an illicit Russian-language forum as “One of our coders misclicked and generated a universal key, and issued the universal decryptor key along with a bunch of keys for one machine. That’s how we sh*t ourselves.”<ref>Michael Novinson, [https://www.crn.com/news/security/revil-we-accidentally-leaked-kaseya-universal-decryptor-key REvil: We Accidentally Leaked Kaseya Universal Decryptor Key],  CRN (10 September 2021)</ref>
+
It is interesting that this was a universal decryptor key. This situation was explained by REvil on 9 September in an illicit Russian-language forum as “One of our coders misclicked and generated a universal key, and issued the universal decryptor key along with a bunch of keys for one machine. That’s how we sh*t ourselves.”<ref>Michael Novinson, [https://www.crn.com/news/security/revil-we-accidentally-leaked-kaseya-universal-decryptor-key ‘REvil: We Accidentally Leaked Kaseya Universal Decryptor Key’],  CRN (10 September 2021)</ref>
  +
  +
On 8 November 2021, the US Department of Justice announced the indictment of Yaroslav Vasinskyi, an Ukrainian national detained in Poland in October,<ref>Mitchell Clark, [https://www.theverge.com/2021/11/8/22770701/revil-ransomware-arrest-kaseya-crypto-europol-cybersecurity ‘An alleged member of the REvil ransomware gang has been arrested in Poland’], The Verge (8 November 2021)</ref> charged for allegedly deploying the REvil ransomware attack against Kaseya.<ref>US Department of Justice, [https://www.justice.gov/opa/pr/ukrainian-arrested-and-charged-ransomware-attack-kaseya ‘Ukrainian Arrested and Charged with Ransomware Attack on Kaseya’], Press Release (8 November 2021); Ryan Gallagher and Jack Gillum, [https://www.bloomberg.com/news/articles/2021-11-08/interpol-arrest-five-alleged-members-behind-revil-ransomware ‘Police Arrest Five Members Tied to the REvil Ransomware Gang’], Bloomberg (8 November 2021)</ref> In addition, in January 2022, Russia’s Federal Security Service arrested 14 alleged members of the REvil gang.<ref>Kevin Collier, [https://www.nbcnews.com/tech/security/russia-arrests-ransomware-gang-responsible-high-profile-cyberattacks-rcna12235 ‘Russia arrests ransomware gang responsible for high-profile cyberattacks’], NBC News (14 January 2022)</ref> The authorities claim to have dismantled the group and charged several of its members, acting on the basis of information provided by the US.<ref name=":JT">Joe Tidy, [https://www.bbc.com/news/technology-59998925 ‘REvil ransomware gang arrested in Russia’], BBC (14 January 2022)</ref>
 
|-
 
|-
 
! scope="row"|Analysed in
 
! scope="row"|Analysed in
Line 33: Line 33:
 
Collected by: [[People#Research_assistants|Anna Blechová]]
 
Collected by: [[People#Research_assistants|Anna Blechová]]
   
<!--[[Category:Example]]
+
[[Category:Example]]
[[Category:2013 and before]]-->
+
[[Category:2021]]

Latest revision as of 10:13, 7 March 2022

Date The attack took place on 2nd July 2021.[1]
Suspected actor REvil (i.e., Ransomware Evil[2]) group, which is also known as Sodinokibi.[3] It is a Russian speaking and Russia-based Ransomware as-a-service (RaaS) gang. Moreover, according to Lawfare, "It really is the McDonald's of the criminal world with a very high profile".[4]
Target Kaseya, a global IT infrastructure provider.[4]
Target systems In general, the target systems were using Virtual System Administrator (VSA) software. The reason why Kaseya VSA was an attractive target is that this software is used by managed service providers (MSP),[4] which includes thousands of small businesses.[5]
Method The attack was first detected as a supply chain attack. This idea was supported by US Cybersecurity and Infrastructure Security Agency and the FBI.[6] Nevertheless, a question arose later whether Kaseya was not facing a more conventional exploit attack targeting Kaseya VSA,[4][7] as it was not clear if the aimed upstream (VSA) was targeted for purpose of scaling downstream exploitation or not. Nevertheless, the conclusion was that it was a supply chain attack.[8]
Purpose Primarily causing economic loss to Kaseya and its customers.[9] REvil in a post on their leak site announced that the universal decryption key was worth $70 million in BTC. This amount was the highest ransom demand to date.[10]
Result According to Reuters, between 800 and 1500 businesses worldwide were affected by the attack.[11] One of the victims is also Coop, a Swedish chain of supermarkets, which was forced to close over more than half of its stores in Sweden.[12] Moreover, the ransomware attack also hit 11 schools in New Zealand.[13]
Aftermath On 23 July, Kaseya announced it had received a universal decryptor tool for the REvil-encrypted files from an unnamed "trusted third party" and was helping victims restore their files.[14]

It is interesting that this was a universal decryptor key. This situation was explained by REvil on 9 September in an illicit Russian-language forum as “One of our coders misclicked and generated a universal key, and issued the universal decryptor key along with a bunch of keys for one machine. That’s how we sh*t ourselves.”[15]

On 8 November 2021, the US Department of Justice announced the indictment of Yaroslav Vasinskyi, an Ukrainian national detained in Poland in October,[16] charged for allegedly deploying the REvil ransomware attack against Kaseya.[17] In addition, in January 2022, Russia’s Federal Security Service arrested 14 alleged members of the REvil gang.[18] The authorities claim to have dismantled the group and charged several of its members, acting on the basis of information provided by the US.[19]

Analysed in Scenario 14: Ransomware campaign

Collected by: Anna Blechová

  1. RBS, ‘The Kaseya Attack: Everything to Know’, Risk Based Security (12 July 2021)
  2. Lucian Constantin, ‘REvil ransomware explained: A widespread extortion operation’, CSO Online (17 November 2020)
  3. Cahrlie Osborn, ‘Updated Kaseya ransomware attack FAQ:What we know now’, ZDNet, (23 July 2021)
  4. 4.0 4.1 4.2 4.3 Nicolas Weaver, ‘What Happened in the Kaseya VSA Incident?’, Lawfare (4 July 2021)
  5. Davey Winder, ‘$70 Million Demanded As REvil Ransomware Attackers Claim 1 Million Systems Hit’, Forbes (5 July 2021)
  6. ‘CISA-FBI Guidance for MSPs and their Customers Affected by the Kaseya VSA Supply-Chain Ransomware Attack’ (4 July 2021)
  7. RBS, ‘Is the Kaseya Hack Actually a Supply Chain Attack?, Risk Based Security’ (14 July 2021)
  8. Matt Howard, ‘Kaseya Ransomware: a Software Supply Chain Attack or Not?’, sonatype (6 July 2021)
  9. Alex Marquardt, ‘Ransomware group demands $70 million for Kaseya attack’, CNN (5 July 2021)
  10. Ionut Ilascu, ‘REvil ransomware asks $70 million to decrypt all Kaseya attack victims’, BleepingComputer (5 July 2021)
  11. Raphael Satter, ‘Up to 1,500 businesses affected by ransomware attack, U.S. firm’s CEO says’, Reuters ( 6 July 2021)
  12. Joe Tidy, ‘Swedish Coop supermarkets shut due to US ransomware cyber-attack’, BBC (3 July 2021)
  13. ‘Worldwide ransomware attack: St Peter’s College and 10 other schools hit by US cyber attack’, NZHerald (4 July 2021)
  14. Joe Tidy, ‘Ransomware key to unlock customer data from REvil attack’, BBC (23 July 2021)
  15. Michael Novinson, ‘REvil: We Accidentally Leaked Kaseya Universal Decryptor Key’,  CRN (10 September 2021)
  16. Mitchell Clark, ‘An alleged member of the REvil ransomware gang has been arrested in Poland’, The Verge (8 November 2021)
  17. US Department of Justice, ‘Ukrainian Arrested and Charged with Ransomware Attack on Kaseya’, Press Release (8 November 2021); Ryan Gallagher and Jack Gillum, ‘Police Arrest Five Members Tied to the REvil Ransomware Gang’, Bloomberg (8 November 2021)
  18. Kevin Collier, ‘Russia arrests ransomware gang responsible for high-profile cyberattacks’, NBC News (14 January 2022)
  19. Joe Tidy, ‘REvil ransomware gang arrested in Russia’, BBC (14 January 2022)