Kaseya VSA ransomware attack (2021): Difference between revisions
Jump to navigation
Jump to search
Content added Content deleted
mNo edit summary |
mNo edit summary |
||
Line 6: | Line 6: | ||
|- |
|- |
||
! scope="row"|Suspected actor |
! scope="row"|Suspected actor |
||
|REvil (i.e., Ransomware Evil<ref>Lucian Constantin, [https://www.csoonline.com/article/3597298/revil-ransomware-explained-a-widespread-extortion-operation.html REvil ransomware explained: A widespread extortion operation], CSO Online (17 November 2020)</ref>) group, which is also known as Sodinokibi.<ref>Cahrlie Osborn, [https://www.zdnet.com/article/updated-kaseya-ransomware-attack-faq-what-we-know-now/ Updated Kaseya ransomware attack FAQ:What we know now, ZDNet], (23 July 2021)</ref> It is a Russian speaking and Russia-based Ransomware as-a-service (RaaS) gang. Moreover, according to Lawfare, |
|REvil (i.e., Ransomware Evil<ref>Lucian Constantin, [https://www.csoonline.com/article/3597298/revil-ransomware-explained-a-widespread-extortion-operation.html REvil ransomware explained: A widespread extortion operation], CSO Online (17 November 2020)</ref>) group, which is also known as Sodinokibi.<ref>Cahrlie Osborn, [https://www.zdnet.com/article/updated-kaseya-ransomware-attack-faq-what-we-know-now/ Updated Kaseya ransomware attack FAQ:What we know now, ZDNet], (23 July 2021)</ref> It is a Russian speaking and Russia-based Ransomware as-a-service (RaaS) gang. Moreover, according to Lawfare, “It really is the McDonald's of the criminal world with a very high profile”.<ref name=":0">Nicolas Weaver, [https://www.lawfareblog.com/what-happened-kaseya-vsa-incident What Happened in the Kesaya VSA Incident?], Lawfare ( 4 July 2021) </ref> |
||
|- |
|- |
||
! scope="row"|Target |
! scope="row"|Target |
||
Line 24: | Line 24: | ||
|- |
|- |
||
! scope="row"|Aftermath |
! scope="row"|Aftermath |
||
|On 23 July, Kaseya announced it had received a universal decryptor tool for the REvil-encrypted files from an unnamed |
|On 23 July, Kaseya announced it had received a universal decryptor tool for the REvil-encrypted files from an unnamed “trusted third party” and was helping victims restore their files.<ref>Joe Tidy, [https://www.bbc.com/news/technology-57946117 Ransomware key to unlock customer data from REvil attack], BBC (23 July 2021)</ref> |
||
It is interesting that this was a universal decryptor key. This situation was explained by REvil on 9 September in an illicit Russian-language forum as “One of our coders misclicked and generated a universal key, and issued the universal decryptor key along with a bunch of keys for one machine. That’s how we sh*t ourselves.”<ref>Michael Novinson, [https://www.crn.com/news/security/revil-we-accidentally-leaked-kaseya-universal-decryptor-key REvil: We Accidentally Leaked Kaseya Universal Decryptor Key], CRN (10 September 2021)</ref> |
It is interesting that this was a universal decryptor key. This situation was explained by REvil on 9 September in an illicit Russian-language forum as “One of our coders misclicked and generated a universal key, and issued the universal decryptor key along with a bunch of keys for one machine. That’s how we sh*t ourselves.”<ref>Michael Novinson, [https://www.crn.com/news/security/revil-we-accidentally-leaked-kaseya-universal-decryptor-key REvil: We Accidentally Leaked Kaseya Universal Decryptor Key], CRN (10 September 2021)</ref> |
||
|- |
|- |
Revision as of 12:17, 25 October 2021
This page is under construction.
Date | The attack took place on 2nd July 2021.[1] |
---|---|
Suspected actor | REvil (i.e., Ransomware Evil[2]) group, which is also known as Sodinokibi.[3] It is a Russian speaking and Russia-based Ransomware as-a-service (RaaS) gang. Moreover, according to Lawfare, “It really is the McDonald's of the criminal world with a very high profile”.[4] |
Target | Kaseya, a global IT infrastructure provider.[4] |
Target systems | In general, the target systems were using Virtual System Administrator (VSA) software. The reason why Kaseya VSA was an attractive target is that this software is used by managed service providers (MSP),[4] which includes thousands of small businesses.[5] |
Method | The attack was first detected as a supply chain attack. This idea was supported by US Cybersecurity and Infrastructure Security Agency and the FBI.[6] Nevertheless, a question arose later whether Kaseya was not facing a more conventional exploit attack targeting Kaseya VSA,[7] [4] as it was not clear if the aimed upstream (VSA) was targeted for purpose of scaling downstream exploitation or not.[8] Nevertheless, the conclusion was that it was a supply chain attack. |
Purpose | Primarily causing economic loss to Kaseya and its customers.[9] REvil in a post on their leak site announced that the universal decryption key was worth $70 million in BTC. This amount was the highest ransom demand to date.[10] |
Result | According to Reuters, between 800 and 1500 businesses worldwide were affected by the attack.[11] One of the victims is also Coop, a Swedish chain of supermarkets, which was forced to close over more than half of its stores in Sweden.[12] Moreover, the ransomware attack also hit 11 schools in New Zealand.[13] |
Aftermath | On 23 July, Kaseya announced it had received a universal decryptor tool for the REvil-encrypted files from an unnamed “trusted third party” and was helping victims restore their files.[14]
It is interesting that this was a universal decryptor key. This situation was explained by REvil on 9 September in an illicit Russian-language forum as “One of our coders misclicked and generated a universal key, and issued the universal decryptor key along with a bunch of keys for one machine. That’s how we sh*t ourselves.”[15] |
Analysed in | Scenario 14: Ransomware campaign |
Collected by: Anna Blechová
- ↑ RBS, The Kaseya Attack: Everything to Know, Risk Based Security (12 July 2021)
- ↑ Lucian Constantin, REvil ransomware explained: A widespread extortion operation, CSO Online (17 November 2020)
- ↑ Cahrlie Osborn, Updated Kaseya ransomware attack FAQ:What we know now, ZDNet, (23 July 2021)
- ↑ 4.0 4.1 4.2 4.3 Nicolas Weaver, What Happened in the Kesaya VSA Incident?, Lawfare ( 4 July 2021)
- ↑ Davey Winder, $70 Million Demanded As REvil Ransomware Attackers Claim 1 Million Systems Hit, Forbes (5 July 2021)
- ↑ CISA-FBI Guidance for MSPs and their Customers Affected by the Kaseya VSA Supply-Chain Ransomware Attack (4 July 2021)
- ↑ RBS, Is the Kaseya Hack Actually a Supply Chain Attack?, Risk Based Security (14 July 2021)
- ↑ Matt Howard, Kaseya Ransomware: a Software Supply Chain Attack or Not?, sonatype (6 July 2021)
- ↑ Alex Marquardt, Ransomware group demands $70 million for Kaseya attack, CNN (5 July 2021)
- ↑ Ionut Ilascu, REvil ransomware asks $70 million to decrypt all Kaseya attack victims, BleepingComputer (5 July 2021)
- ↑ Raphael Satter, Up to 1,500 businesses affected by ransomware attack, U.S. firm’s CEO says, Reuters ( 6 July 2021)
- ↑ Joe Tidy, Swedish Coop supermarkets shut due to US ransomware cyber-attack, BBC (3 July 2021)
- ↑ Worldwide ransomware attack: St Peter’s College and 10 other schools hit by US cyber attack, NZHerald (4 July 2021)
- ↑ Joe Tidy, Ransomware key to unlock customer data from REvil attack, BBC (23 July 2021)
- ↑ Michael Novinson, REvil: We Accidentally Leaked Kaseya Universal Decryptor Key, CRN (10 September 2021)