Kaseya VSA ransomware attack (2021)

From International cyber law: interactive toolkit
Jump to navigation Jump to search
Date The attack took place on 2nd July 2021.[1]
Suspected actor REvil (i.e., Ransomware Evil[2]) group, which is also known as Sodinokibi.[3] It is a Russian speaking and Russia-based Ransomware as-a-service (RaaS) gang. Moreover, according to Lawfare, "It really is the McDonald's of the criminal world with a very high profile".[4]
Target Kaseya, a global IT infrastructure provider.[4]
Target systems In general, the target systems were using Virtual System Administrator (VSA) software. The reason why Kaseya VSA was an attractive target is that this software is used by managed service providers (MSP),[4] which includes thousands of small businesses.[5]
Method The attack was first detected as a supply chain attack. This idea was supported by US Cybersecurity and Infrastructure Security Agency and the FBI.[6] Nevertheless, a question arose later whether Kaseya was not facing a more conventional exploit attack targeting Kaseya VSA,[4][7] as it was not clear if the aimed upstream (VSA) was targeted for purpose of scaling downstream exploitation or not. Nevertheless, the conclusion was that it was a supply chain attack.[8]
Purpose Primarily causing economic loss to Kaseya and its customers.[9] REvil in a post on their leak site announced that the universal decryption key was worth $70 million in BTC. This amount was the highest ransom demand to date.[10]
Result According to Reuters, between 800 and 1500 businesses worldwide were affected by the attack.[11] One of the victims is also Coop, a Swedish chain of supermarkets, which was forced to close over more than half of its stores in Sweden.[12] Moreover, the ransomware attack also hit 11 schools in New Zealand.[13]
Aftermath On 23 July, Kaseya announced it had received a universal decryptor tool for the REvil-encrypted files from an unnamed "trusted third party" and was helping victims restore their files.[14]

It is interesting that this was a universal decryptor key. This situation was explained by REvil on 9 September in an illicit Russian-language forum as “One of our coders misclicked and generated a universal key, and issued the universal decryptor key along with a bunch of keys for one machine. That’s how we sh*t ourselves.”[15]

On 8 November 2021, the US Department of Justice announced the indictment of Yaroslav Vasinskyi, an Ukrainian national detained in Poland in October,[16] charged for allegedly deploying the REvil ransomware attack against Kaseya.[17] In addition, in January 2022, Russia’s Federal Security Service arrested 14 alleged members of the REvil gang.[18] The authorities claim to have dismantled the group and charged several of its members, acting on the basis of information provided by the US.[19]

Analysed in Scenario 14: Ransomware campaign

Collected by: Anna Blechová

  1. RBS, ‘The Kaseya Attack: Everything to Know’, Risk Based Security (12 July 2021)
  2. Lucian Constantin, ‘REvil ransomware explained: A widespread extortion operation’, CSO Online (17 November 2020)
  3. Cahrlie Osborn, ‘Updated Kaseya ransomware attack FAQ:What we know now’, ZDNet, (23 July 2021)
  4. 4.0 4.1 4.2 4.3 Nicolas Weaver, ‘What Happened in the Kaseya VSA Incident?’, Lawfare (4 July 2021)
  5. Davey Winder, ‘$70 Million Demanded As REvil Ransomware Attackers Claim 1 Million Systems Hit’, Forbes (5 July 2021)
  6. ‘CISA-FBI Guidance for MSPs and their Customers Affected by the Kaseya VSA Supply-Chain Ransomware Attack’ (4 July 2021)
  7. RBS, ‘Is the Kaseya Hack Actually a Supply Chain Attack?, Risk Based Security’ (14 July 2021)
  8. Matt Howard, ‘Kaseya Ransomware: a Software Supply Chain Attack or Not?’, sonatype (6 July 2021)
  9. Alex Marquardt, ‘Ransomware group demands $70 million for Kaseya attack’, CNN (5 July 2021)
  10. Ionut Ilascu, ‘REvil ransomware asks $70 million to decrypt all Kaseya attack victims’, BleepingComputer (5 July 2021)
  11. Raphael Satter, ‘Up to 1,500 businesses affected by ransomware attack, U.S. firm’s CEO says’, Reuters ( 6 July 2021)
  12. Joe Tidy, ‘Swedish Coop supermarkets shut due to US ransomware cyber-attack’, BBC (3 July 2021)
  13. ‘Worldwide ransomware attack: St Peter’s College and 10 other schools hit by US cyber attack’, NZHerald (4 July 2021)
  14. Joe Tidy, ‘Ransomware key to unlock customer data from REvil attack’, BBC (23 July 2021)
  15. Michael Novinson, ‘REvil: We Accidentally Leaked Kaseya Universal Decryptor Key’,  CRN (10 September 2021)
  16. Mitchell Clark, ‘An alleged member of the REvil ransomware gang has been arrested in Poland’, The Verge (8 November 2021)
  17. US Department of Justice, ‘Ukrainian Arrested and Charged with Ransomware Attack on Kaseya’, Press Release (8 November 2021); Ryan Gallagher and Jack Gillum, ‘Police Arrest Five Members Tied to the REvil Ransomware Gang’, Bloomberg (8 November 2021)
  18. Kevin Collier, ‘Russia arrests ransomware gang responsible for high-profile cyberattacks’, NBC News (14 January 2022)
  19. Joe Tidy, ‘REvil ransomware gang arrested in Russia’, BBC (14 January 2022)