REvil exploits Kaseya vulnerability to deliver ransomware.
Last Friday Kaseya sustained an attack by REvil ransomware operators on its widely used VSA remote management product. Huntress Labs warned that ransomware had been deployed through VSA on-premises servers beginning around 11:00 AM EDT. It was a direct attack in which the attackers exploited a zero-day vulnerability (CVE-2021-30116) that had been responsibly disclosed by the Dutch Institute for Vulnerability Disclosure (DIVD) and that Kaseya was in the process of fixing. Huntress stated, "We are tracking ~30 MSPs across the US, AUS, EU, and LATAM where Kaseya VSA was used to encrypt well over 1,000 businesses and are working in collaboration with many of them. All of these VSA servers are on-premises and Huntress has confirmed that cybercriminals have exploited an arbitrary file upload and code injection vulnerability and have high confidence an authentication bypass was used to gain access into these servers."
The effects of the attack have been worldwide, roughly tracking the MSP market penetration of VSA, with the US and Germany showing the highest rates of infestation. Around sixty Kaseya customers are believed to have been directly affected, but since these tended to be MSPs, the ransomware in turn flowed to those customers' customers, whom it's affected indiscriminately. Kaseya thinks there are between eight-hundred and fifteen-hundred total downstream victims, that is, customers of the MSPs who use Kaseya's VSA.
The Wall Street Journal reports that ransomware infestations connected with the exploitation of Kaseya had, by Thursday, been found in six European countries. The Record reports that Kaseya's president and general manager for EMEA, Ronan Kirby, addressing a meeting convened by Belgium's CERT, those six countries were the UK, the Netherlands, Germany, Sweden, Norway, and Italy. Eight of the sixty direct customers affected by the campaign are in Europe.
The REvil operators demanded a total of $70 million to unlock all of the victims' data. BleepingComputer has found only two victims who've paid any ransom, and concludes that the responsible REvil affiliate is unlikely to get the big payday they're hoping for. The article suggests that the criminals failed to exfiltrate data, relying simply on making the files unusable instead. If so, that would represent a departure from the double extortion—encryption plus data theft—that has become the norm in ransomware campaigns. BleepingComputer suggests another reason for the apparent lack of criminal success. REvil went after the software itself, the better to cast a broad net, and so passed up the now customary step of wiping or encrypting backups. "[A]n MSP and multiple victims encrypted during the attack told BleepingComputer that none of their backups were affected, and they chose to restore rather than paying a ransom." So the victims may have simply opted to restore from backups and bite the bullet on any doxing that may develop later.
Sophos has written up a technical analysis of the incident: "The outbreak was delivered via a malicious update payload sent out to VSA servers, and in turn to the VSA agent applications running on managed Windows devices. It appears this was achieved using a zero-day exploit of the server platform. This gave REvil cover in several ways: it allowed initial compromise through a trusted channel, and leveraged trust in the VSA agent code—reflected in anti-malware software exclusions that Kaseya requires for set-up for its application and agent “working” folders. Anything executed by the Kaseya Agent Monitor is therefore ignored because of those exclusions—which allowed REvil to deploy its dropper without scrutiny."