Kaseya VSA ransomware attack (2021): Difference between revisions

|The attack took place on 2nd July 2021.<ref>RBS, [https://www.riskbasedsecurity.com/2021/07/12/the-kaseya-attack-everything-to-know/ The Kaseya Attack: Everything to Know], Risk Based Security (12 July 2021)</ref>

|REvil (i.e., Ransomware Evil<ref>Lucian Constantin, [https://www.csoonline.com/article/3597298/revil-ransomware-explained-a-widespread-extortion-operation.html REvil ransomware explained: A widespread extortion operation], CSO Online (17 November 2020)</ref>) group, which is also known as Sodinokibi.<ref>Cahrlie Osborn, [https://www.zdnet.com/article/updated-kaseya-ransomware-attack-faq-what-we-know-now/ Updated Kaseya ransomware attack FAQ:What we know now, ZDNet], (23 July 2021)</ref> It is Russian speaking and Russian based Ransomware as-a-service (RaaS) gang.

Moreover, according to the Lawfare „It really is the McDonald's of the criminal world with a very high profile“.<ref name=":0">Nicolas Weaver, [https://www.lawfareblog.com/what-happened-kaseya-vsa-incident What Happened in the Kesaya VSA Incident?],  Lawfare ( 4 July 2021) </ref>

|Kesaya, a global IT infrastructure provider. <ref name=":0" />

|In general, target systems were Virtual System Administrator (VSA) software.    The reason why Kesaya VSA was an attractive target is that this software is used by managed service providers (MSP)<ref name=":0" />. In concrete, we are speaking about thousands of small businesses facing the attack. <ref>Davey Winder, [https://www.forbes.com/sites/daveywinder/2021/07/05/70-million-demanded-as-revil-ransomware-attackers-claim-1-million-systems-hit/?sh=5d6d6c2957c0 $70 Million Demanded As REvil Ransomware Attackers Claim 1 Million Systems Hit], Forbes (5 July 2021)</ref>

|At the first sight, the attack was detected as a supply chain attack. This idea was supported by US Cybersecurity and Infrastructure Security Agency and FBI. <ref>[https://us-cert.cisa.gov/ncas/current-activity/2021/07/04/cisa-fbi-guidance-msps-and-their-customers-affected-kaseya-vsa CISA-FBI Guidance for MSPs and their Customers Affected by the Kaseya VSA Supply-Chain Ransomware Attack] (4 July 2021)</ref> Nevertheless, subsequently was raised the question, if the Kesaya was not facing a more conventional exploit attack targeting Kaseya VSA.<ref>RBS, [https://www.riskbasedsecurity.com/2021/07/14/is-the-kaseya-hack-actually-a-supply-chain-attack/ Is the Kaseya Hack Actually a Supply Chain Attack?, Risk Based Security] (14 July 2021)</ref> <ref name=":0" /> The reason why there were doubts was the fact that it was not clear if the aimed upstream (VSA) was targeted for purpose of scaling downstream exploitation or not. <ref>Matt Howard, [https://blog.sonatype.com/kaseya-ransomware-supply-chain Kaseya Ransomware: a Software Supply Chain Attack or Not?], sonatype (6 July 2021)</ref> Nevertheless, the outcome of the discussion is, that it was a supply chain attack.

|Primarily causing economic loss to Kesaya and its customers. <ref>Alex Marquardt, [https://edition.cnn.com/2021/07/05/business/ransomware-group-payment-kaseya/index.html Ransomware group demands $70 million for Kaseya attack], CNN (5 July 2021)</ref> REvil in a post on their leak site announced that the universal decrypt key is worth $70 million in BTC. This amount was the highest ransom demand to date.<ref>Ionut Ilascu, [https://www.bleepingcomputer.com/news/security/revil-ransomware-asks-70-million-to-decrypt-all-kaseya-attack-victims/ REvil ransomware asks $70 million to decrypt all Kaseya attack victims, BleepingComputer] (5 July 2021)</ref>

|According to Reuters between 800 and 1500 Businesses worldwide were affected by the attack. <ref>Raphael Satter, [https://www.reuters.com/technology/hackers-demand-70-million-liberate-data-held-by-companies-hit-mass-cyberattack-2021-07-05/ Up to 1,500 businesses affected by ransomware attack, U.S. firm’s CEO says], Reuters ( 6 July 2021)</ref> One of the victims is also the Swedish chain of supermarkets Coop, which was forced to close over more than half of its stores in Sweden. <ref>Joe Tidy, [https://www.bbc.com/news/technology-57707530 Swedish Coop supermarkets shut due to US ransomware cyber-attack,] BBC (3 July 2021)</ref>Moreover the ransomware attack also hit 11 schools oi New Zelaand.<ref>[https://www.nzherald.co.nz/nz/worldwide-ransomware-attack-st-peters-college-and-10-other-schools-hit-by-us-cyber-attack/JACHAD3OPGUOF7ZIF4PJXDPICA/ Worldwide ransomware attack: St Peter’s College and 10 other schools hit by US cyber attack],  NZHerald (4 July 2021)</ref>

|On 23 July, Kaseya announced it had received a universal decryptor tool for the REvil-encrypted files from an unnamed „trusted third party“ and was helping victims restore their files.<ref>Joe Tidy, [https://www.bbc.com/news/technology-57946117 Ransomware key to unlock customer data from REvil attack], BBC (23 July 2021)</ref>

According to the circumstances interesting is the fact, that it was used a universal decryptor key. This situation was explained by REvil on 9 September in an illicit Russian-language forum as “One of our coders misclicked and generated a universal key, and issued the universal decryptor key along with a bunch of keys for one machine. That’s how we sh*t ourselves,”<ref>Michael Novinson, [https://www.crn.com/news/security/revil-we-accidentally-leaked-kaseya-universal-decryptor-key REvil: We Accidentally Leaked Kaseya Universal Decryptor Key],  CRN (10 September 2021)</ref>

|Scenario 14: Ransomware campaign

Collected by: [[People#Research_assistants|Anna Blechová]]