Kaseya VSA ransomware attack (2021): Difference between revisions
Jump to navigation
Jump to search
Content added Content deleted
(Paragraph included in "aftermath" section regarding recent developments.) |
(small edits following Dominique's update) |
||
| Line 1: | Line 1: | ||
{| class="wikitable" |
{| class="wikitable" |
||
! scope="row"|Date |
! scope="row"|Date |
||
|The attack took place on 2nd July 2021.<ref>RBS, [https://www.riskbasedsecurity.com/2021/07/12/the-kaseya-attack-everything-to-know/ |
|The attack took place on 2nd July 2021.<ref>RBS, [https://www.riskbasedsecurity.com/2021/07/12/the-kaseya-attack-everything-to-know/ ‘The Kaseya Attack: Everything to Know’], Risk Based Security (12 July 2021)</ref> |
||
|- |
|- |
||
! scope="row"|Suspected actor |
! scope="row"|Suspected actor |
||
|REvil (i.e., Ransomware Evil<ref>Lucian Constantin, [https://www.csoonline.com/article/3597298/revil-ransomware-explained-a-widespread-extortion-operation.html |
|REvil (i.e., Ransomware Evil<ref>Lucian Constantin, [https://www.csoonline.com/article/3597298/revil-ransomware-explained-a-widespread-extortion-operation.html ‘REvil ransomware explained: A widespread extortion operation’], CSO Online (17 November 2020)</ref>) group, which is also known as Sodinokibi.<ref>Cahrlie Osborn, [https://www.zdnet.com/article/updated-kaseya-ransomware-attack-faq-what-we-know-now/ ‘Updated Kaseya ransomware attack FAQ:What we know now’], ZDNet, (23 July 2021)</ref> It is a Russian speaking and Russia-based Ransomware as-a-service (RaaS) gang. Moreover, according to Lawfare, "It really is the McDonald's of the criminal world with a very high profile".<ref name=":0">Nicolas Weaver, [https://www.lawfareblog.com/what-happened-kaseya-vsa-incident ‘What Happened in the Kaseya VSA Incident?’], Lawfare (4 July 2021) </ref> |
||
|- |
|- |
||
! scope="row"|Target |
! scope="row"|Target |
||
| Line 10: | Line 10: | ||
|- |
|- |
||
! scope="row"|Target systems |
! scope="row"|Target systems |
||
|In general, the target systems were using Virtual System Administrator (VSA) software. The reason why Kaseya VSA was an attractive target is that this software is used by managed service providers (MSP),<ref name=":0" /> which includes thousands of small businesses.<ref>Davey Winder, [https://www.forbes.com/sites/daveywinder/2021/07/05/70-million-demanded-as-revil-ransomware-attackers-claim-1-million-systems-hit/?sh=5d6d6c2957c0 $70 Million Demanded As REvil Ransomware Attackers Claim 1 Million Systems |
|In general, the target systems were using Virtual System Administrator (VSA) software. The reason why Kaseya VSA was an attractive target is that this software is used by managed service providers (MSP),<ref name=":0" /> which includes thousands of small businesses.<ref>Davey Winder, [https://www.forbes.com/sites/daveywinder/2021/07/05/70-million-demanded-as-revil-ransomware-attackers-claim-1-million-systems-hit/?sh=5d6d6c2957c0 ‘$70 Million Demanded As REvil Ransomware Attackers Claim 1 Million Systems Hit’], Forbes (5 July 2021)</ref> |
||
|- |
|- |
||
! scope="row"|Method |
! scope="row"|Method |
||
|The attack was first detected as a supply chain attack. This idea was supported by US Cybersecurity and Infrastructure Security Agency and the FBI.<ref>[https://us-cert.cisa.gov/ncas/current-activity/2021/07/04/cisa-fbi-guidance-msps-and-their-customers-affected-kaseya-vsa |
|The attack was first detected as a supply chain attack. This idea was supported by US Cybersecurity and Infrastructure Security Agency and the FBI.<ref>[https://us-cert.cisa.gov/ncas/current-activity/2021/07/04/cisa-fbi-guidance-msps-and-their-customers-affected-kaseya-vsa ‘CISA-FBI Guidance for MSPs and their Customers Affected by the Kaseya VSA Supply-Chain Ransomware Attack’] (4 July 2021)</ref> Nevertheless, a question arose later whether Kaseya was not facing a more conventional exploit attack targeting Kaseya VSA,<ref name=":0" /><ref>RBS, [https://www.riskbasedsecurity.com/2021/07/14/is-the-kaseya-hack-actually-a-supply-chain-attack/ ‘Is the Kaseya Hack Actually a Supply Chain Attack?, Risk Based Security’] (14 July 2021)</ref> as it was not clear if the aimed upstream (VSA) was targeted for purpose of scaling downstream exploitation or not. Nevertheless, the conclusion was that it was a supply chain attack.<ref>Matt Howard, [https://blog.sonatype.com/kaseya-ransomware-supply-chain ‘Kaseya Ransomware: a Software Supply Chain Attack or Not?’], sonatype (6 July 2021)</ref> |
||
|- |
|- |
||
! scope="row"|Purpose |
! scope="row"|Purpose |
||
|Primarily causing economic loss to Kaseya and its customers.<ref>Alex Marquardt, [https://edition.cnn.com/2021/07/05/business/ransomware-group-payment-kaseya/index.html |
|Primarily causing economic loss to Kaseya and its customers.<ref>Alex Marquardt, [https://edition.cnn.com/2021/07/05/business/ransomware-group-payment-kaseya/index.html ‘Ransomware group demands $70 million for Kaseya attack’], CNN (5 July 2021)</ref> REvil in a post on their leak site announced that the universal decryption key was worth $70 million in BTC. This amount was the highest ransom demand to date.<ref>Ionut Ilascu, [https://www.bleepingcomputer.com/news/security/revil-ransomware-asks-70-million-to-decrypt-all-kaseya-attack-victims/ ‘REvil ransomware asks $70 million to decrypt all Kaseya attack victims’], BleepingComputer (5 July 2021)</ref> |
||
|- |
|- |
||
! scope="row"|Result |
! scope="row"|Result |
||
|According to Reuters, between 800 and 1500 businesses worldwide were affected by the attack.<ref>Raphael Satter, [https://www.reuters.com/technology/hackers-demand-70-million-liberate-data-held-by-companies-hit-mass-cyberattack-2021-07-05/ |
|According to Reuters, between 800 and 1500 businesses worldwide were affected by the attack.<ref>Raphael Satter, [https://www.reuters.com/technology/hackers-demand-70-million-liberate-data-held-by-companies-hit-mass-cyberattack-2021-07-05/ ‘Up to 1,500 businesses affected by ransomware attack, U.S. firm’s CEO says’], Reuters ( 6 July 2021)</ref> One of the victims is also Coop, a Swedish chain of supermarkets, which was forced to close over more than half of its stores in Sweden.<ref>Joe Tidy, [https://www.bbc.com/news/technology-57707530 ‘Swedish Coop supermarkets shut due to US ransomware cyber-attack’], BBC (3 July 2021)</ref> Moreover, the ransomware attack also hit 11 schools in New Zealand.<ref>[https://www.nzherald.co.nz/nz/worldwide-ransomware-attack-st-peters-college-and-10-other-schools-hit-by-us-cyber-attack/JACHAD3OPGUOF7ZIF4PJXDPICA/ ‘Worldwide ransomware attack: St Peter’s College and 10 other schools hit by US cyber attack’], NZHerald (4 July 2021)</ref> |
||
|- |
|- |
||
! scope="row"|Aftermath |
! scope="row"|Aftermath |
||
|On 23 July, Kaseya announced it had received a universal decryptor tool for the REvil-encrypted files from an unnamed "trusted third party" and was helping victims restore their files.<ref>Joe Tidy, [https://www.bbc.com/news/technology-57946117 |
|On 23 July, Kaseya announced it had received a universal decryptor tool for the REvil-encrypted files from an unnamed "trusted third party" and was helping victims restore their files.<ref>Joe Tidy, [https://www.bbc.com/news/technology-57946117 ‘Ransomware key to unlock customer data from REvil attack’], BBC (23 July 2021)</ref> |
||
It is interesting that this was a universal decryptor key. This situation was explained by REvil on 9 September in an illicit Russian-language forum as “One of our coders misclicked and generated a universal key, and issued the universal decryptor key along with a bunch of keys for one machine. That’s how we sh*t ourselves.”<ref>Michael Novinson, [https://www.crn.com/news/security/revil-we-accidentally-leaked-kaseya-universal-decryptor-key |
It is interesting that this was a universal decryptor key. This situation was explained by REvil on 9 September in an illicit Russian-language forum as “One of our coders misclicked and generated a universal key, and issued the universal decryptor key along with a bunch of keys for one machine. That’s how we sh*t ourselves.”<ref>Michael Novinson, [https://www.crn.com/news/security/revil-we-accidentally-leaked-kaseya-universal-decryptor-key ‘REvil: We Accidentally Leaked Kaseya Universal Decryptor Key’], CRN (10 September 2021)</ref> |
||
On 8 November 2021, the US Department of Justice announced the indictment of Yaroslav Vasinskyi, an Ukrainian national detained in Poland in October,<ref>Mitchell Clark, [https://www.theverge.com/2021/11/8/22770701/revil-ransomware-arrest-kaseya-crypto-europol-cybersecurity |
On 8 November 2021, the US Department of Justice announced the indictment of Yaroslav Vasinskyi, an Ukrainian national detained in Poland in October,<ref>Mitchell Clark, [https://www.theverge.com/2021/11/8/22770701/revil-ransomware-arrest-kaseya-crypto-europol-cybersecurity ‘An alleged member of the REvil ransomware gang has been arrested in Poland’], The Verge (8 November 2021)</ref> charged for allegedly deploying the REvil ransomware attack against Kaseya.<ref>US Department of Justice, [https://www.justice.gov/opa/pr/ukrainian-arrested-and-charged-ransomware-attack-kaseya ‘Ukrainian Arrested and Charged with Ransomware Attack on Kaseya’], Press Release (8 November 2021); Ryan Gallagher and Jack Gillum, [https://www.bloomberg.com/news/articles/2021-11-08/interpol-arrest-five-alleged-members-behind-revil-ransomware ‘Police Arrest Five Members Tied to the REvil Ransomware Gang’], Bloomberg (8 November 2021)</ref> In addition, in January 2022, Russia’s Federal Security Service arrested 14 alleged members of the REvil gang.<ref>Kevin Collier, [https://www.nbcnews.com/tech/security/russia-arrests-ransomware-gang-responsible-high-profile-cyberattacks-rcna12235 ‘Russia arrests ransomware gang responsible for high-profile cyberattacks’], NBC News (14 January 2022)</ref> The authorities claim to have dismantled the group and charged several of its members, acting on the basis of information provided by the US.<ref name=":JT">Joe Tidy, [https://www.bbc.com/news/technology-59998925 ‘REvil ransomware gang arrested in Russia’], BBC (14 January 2022)</ref> |
||
|- |
|- |
||
! scope="row"|Analysed in |
! scope="row"|Analysed in |
||
Latest revision as of 10:13, 7 March 2022
| Date | The attack took place on 2nd July 2021.[1] |
|---|---|
| Suspected actor | REvil (i.e., Ransomware Evil[2]) group, which is also known as Sodinokibi.[3] It is a Russian speaking and Russia-based Ransomware as-a-service (RaaS) gang. Moreover, according to Lawfare, "It really is the McDonald's of the criminal world with a very high profile".[4] |
| Target | Kaseya, a global IT infrastructure provider.[4] |
| Target systems | In general, the target systems were using Virtual System Administrator (VSA) software. The reason why Kaseya VSA was an attractive target is that this software is used by managed service providers (MSP),[4] which includes thousands of small businesses.[5] |
| Method | The attack was first detected as a supply chain attack. This idea was supported by US Cybersecurity and Infrastructure Security Agency and the FBI.[6] Nevertheless, a question arose later whether Kaseya was not facing a more conventional exploit attack targeting Kaseya VSA,[4][7] as it was not clear if the aimed upstream (VSA) was targeted for purpose of scaling downstream exploitation or not. Nevertheless, the conclusion was that it was a supply chain attack.[8] |
| Purpose | Primarily causing economic loss to Kaseya and its customers.[9] REvil in a post on their leak site announced that the universal decryption key was worth $70 million in BTC. This amount was the highest ransom demand to date.[10] |
| Result | According to Reuters, between 800 and 1500 businesses worldwide were affected by the attack.[11] One of the victims is also Coop, a Swedish chain of supermarkets, which was forced to close over more than half of its stores in Sweden.[12] Moreover, the ransomware attack also hit 11 schools in New Zealand.[13] |
| Aftermath | On 23 July, Kaseya announced it had received a universal decryptor tool for the REvil-encrypted files from an unnamed "trusted third party" and was helping victims restore their files.[14]
It is interesting that this was a universal decryptor key. This situation was explained by REvil on 9 September in an illicit Russian-language forum as “One of our coders misclicked and generated a universal key, and issued the universal decryptor key along with a bunch of keys for one machine. That’s how we sh*t ourselves.”[15] On 8 November 2021, the US Department of Justice announced the indictment of Yaroslav Vasinskyi, an Ukrainian national detained in Poland in October,[16] charged for allegedly deploying the REvil ransomware attack against Kaseya.[17] In addition, in January 2022, Russia’s Federal Security Service arrested 14 alleged members of the REvil gang.[18] The authorities claim to have dismantled the group and charged several of its members, acting on the basis of information provided by the US.[19] |
| Analysed in | Scenario 14: Ransomware campaign |
Collected by: Anna Blechová
- ↑ RBS, ‘The Kaseya Attack: Everything to Know’, Risk Based Security (12 July 2021)
- ↑ Lucian Constantin, ‘REvil ransomware explained: A widespread extortion operation’, CSO Online (17 November 2020)
- ↑ Cahrlie Osborn, ‘Updated Kaseya ransomware attack FAQ:What we know now’, ZDNet, (23 July 2021)
- ↑ 4.0 4.1 4.2 4.3 Nicolas Weaver, ‘What Happened in the Kaseya VSA Incident?’, Lawfare (4 July 2021)
- ↑ Davey Winder, ‘$70 Million Demanded As REvil Ransomware Attackers Claim 1 Million Systems Hit’, Forbes (5 July 2021)
- ↑ ‘CISA-FBI Guidance for MSPs and their Customers Affected by the Kaseya VSA Supply-Chain Ransomware Attack’ (4 July 2021)
- ↑ RBS, ‘Is the Kaseya Hack Actually a Supply Chain Attack?, Risk Based Security’ (14 July 2021)
- ↑ Matt Howard, ‘Kaseya Ransomware: a Software Supply Chain Attack or Not?’, sonatype (6 July 2021)
- ↑ Alex Marquardt, ‘Ransomware group demands $70 million for Kaseya attack’, CNN (5 July 2021)
- ↑ Ionut Ilascu, ‘REvil ransomware asks $70 million to decrypt all Kaseya attack victims’, BleepingComputer (5 July 2021)
- ↑ Raphael Satter, ‘Up to 1,500 businesses affected by ransomware attack, U.S. firm’s CEO says’, Reuters ( 6 July 2021)
- ↑ Joe Tidy, ‘Swedish Coop supermarkets shut due to US ransomware cyber-attack’, BBC (3 July 2021)
- ↑ ‘Worldwide ransomware attack: St Peter’s College and 10 other schools hit by US cyber attack’, NZHerald (4 July 2021)
- ↑ Joe Tidy, ‘Ransomware key to unlock customer data from REvil attack’, BBC (23 July 2021)
- ↑ Michael Novinson, ‘REvil: We Accidentally Leaked Kaseya Universal Decryptor Key’, CRN (10 September 2021)
- ↑ Mitchell Clark, ‘An alleged member of the REvil ransomware gang has been arrested in Poland’, The Verge (8 November 2021)
- ↑ US Department of Justice, ‘Ukrainian Arrested and Charged with Ransomware Attack on Kaseya’, Press Release (8 November 2021); Ryan Gallagher and Jack Gillum, ‘Police Arrest Five Members Tied to the REvil Ransomware Gang’, Bloomberg (8 November 2021)
- ↑ Kevin Collier, ‘Russia arrests ransomware gang responsible for high-profile cyberattacks’, NBC News (14 January 2022)
- ↑ Joe Tidy, ‘REvil ransomware gang arrested in Russia’, BBC (14 January 2022)