REvil and Kaseya: response and recovery.

Kaseya CTO Dan Timpson posted a video late yesterday afternoon in which he provided a high-level overview of the steps the company was taking to fix the problems with its VSA software, whose modular design he credited with helping limit the scope of the attacks by REvil. Timpson made a point of listing the organizations Kaseya was working with as it responded to the ransomware attack: Mandiant, ("including its affiliate FireEye), the FBI, CISA, and DIVD, as well as with partners, customers, and researchers. Kaseya has fixed the vulnerabilities in both on-premises and cloud versions of VSA, he said, documented the updates and had them "peer-reviewed" by the partners the company has engaged. Kaseya has also been looking at its internal process controls and updated its run books. "As a company we're adding a lot more rigor to our processes, deployment, and code base," Timpson said. He promised an additional update this evening.

A post on Kaseya's site indicates that patches for VSA's on-premises version are still scheduled for release this coming Sunday July 11th, at 4:00 PM EDT. That's also when Kaseya intends to begin deploying the fixes to its VSA SaaS Infrastructure.

How successful has REvil actually been in this ransomware campaign?

Successful, with respect to infecting victims, but perhaps not so successful in actually collecting much ransom.

The Wall Street Journal reports that ransomware infestations connected with the exploitation of Kaseya had, by yesterday, been found in six European countries. The Record reports that Kaseya's president and general manager for EMEA, Ronan Kirby, addressing a meeting convened by Belgium's CERT, those six countries were the UK, the Netherlands, Germany, Sweden, Norway, and Italy. Eight of the sixty direct customers affected by the campaign are in Europe. Kaseya still thinks there are between eight-hundred and fifteen-hundred total downstream victims, that is, customers of the MSPs who use Kaseya's VSA. 

But BleepingComputer has found only two victims who've paid any ransom, and concludes that the responsible REvil affiliate is unlikely to get the big payday they're hoping for. The article suggests that the criminals failed to exfiltrate data, relying simply on making the files unusable instead. If so, that would represent a departure from the double extortion--encryption plus data theft--that has become the norm in ransomware campaigns.

But the gang may in fact have taken files. Trustwave, whose researchers have been close-reading REvil's snidely named HappyBlog, does see some evidence, or at least assertions by the criminals, that the gang may have taken files before rendering them inaccessible. The hackers have posted messages and contacted victims with claims to be in possession of up to 4TB of data, including contracts, finance reports, diagrams, personal information, “and many more!” (enthusiasm in the original). "All you network has been locked," one victim was told, "You sensitive data has been downloaded. You have 10 days to contact us." Perhaps sensitive data haven't been published so far because the ten-day deadline hasn't yet expired.

BleepingComputer suggests another reason for the apparent lack of criminal success. REvil went after the software itself, the better to cast a broad net, and so passed up the now customary step of wiping or encrypting backups. "[A]n MSP and multiple victims encrypted during the attack told BleepingComputer that none of their backups were affected, and they chose to restore rather than paying a ransom." So the victims may have simply opted to restore from backups and bite the bullet on any doxing that may develop later.

Successful or unsuccessful as the hoods may have been, Ric Longenecker, CISO at Open Systems, sees the incident as representing a trend in the ransomware-as-a-service criminal market:

"The recent Kaseya attack shows a continuing and disturbing trend. Well established 'ransomware-as-a-service' groups like REvil have simply moved from striking 'high profile' targets like Solarwinds and Fortune 500 companies to targeting service providers for small and medium-sized businesses.”

“These smaller targets may not guarantee a massive payout, but there’s less of a chance of consequences or reprisals because it is really difficult for authorities to diplomatically respond like-for-like to an attack that doesn’t touch critical industries or infrastructure. Even though this attack is not impacting the U.S. as much as other countries, risk is still increasing for both cybersecurity providers and the customers we serve. And these recent events continue to reinforce how interconnected and complex IT can be."

A US response to the ransomware campaign remains under consideration.

SecurityWeek writes that the US Administration faces pressure to do something about REvil's campaign, and it's clear that doing something increasingly means taking a whack at Russian interests, with US military organizations doing a good bit of the whacking. The Pentagon has been circumspect about what it might be called upon to do. A Defense Department spokesman on Tuesday declined to discuss specific US Cyber Command capabilities, plans or operations. "We are all mindful of these growing threats to national security as well as to civilian infrastructure," the spokesman said, adding, "We believe... a US response to those threats has got to be whole-of-government" as opposed to a purely military response. In this case "whole-of-government" would probably mean, especially, the Intelligence Community and the Departments of State, Justice, Treasury, and Commerce.

Two US military Judge Advocates, one of whom currently holds the billet as US Cyber Command's general counsel, last week published an article in Lawfare in which they made the case for a more active, less constrained role for military cyber units in retaliation against transnational crime. Their essay was prompted by the Colonial Pipeline incident, and was composed before the exploitation of Kaseya came to light, but it's drawn considerable attention this week. "Transnational crimes, of varying scale and sophistication, can surpass the capacity of U.S. federal law enforcement to take immediate action. Further, with cybercrime’s precise scope and intent often uncertain, operational opportunities often must be seized immediately by whatever entity is best positioned to do so," they argue. They also see the stakes as much higher, with cybercrime able to work damage on a scale disproportionate to the resources the criminals deploy and the risks they assume:

"Cybercrime, by its nature, is different from other types of crime. Criminals can achieve strategic-level impact across multiple nations, entities, and individuals while situated in jurisdictions unlikely to hold them accountable. Not long ago, it would take a well-resourced armed attack to achieve the strategic impacts that can be produced by some cybercrimes. Those contemplating such attacks would have to anticipate a victim’s potential use of force in self-defense, likely dissuading many from taking armed action. Through cyberspace, criminals contemplating such action need not fear meaningful prosecution, much less a kinetic attack by the victim."

They contend that the Posse Comitatus Act, which severely limits any role the military might play in domestic law enforcement, ought not be applied uncritically to cyberspace, because "the risks and dangers the act seeks to safeguard against are not present in cyberspace." They conclude:

"It is against the United States’ interests to limit the use of cyber capabilities by the military solely because the military traditionally opposed only the nation’s gravest threats, or only certain categories of threat actor, or because the military is better known for achieving missions through kinetic activities rather than achieving them through more peaceful, humanitarian mechanisms. Such attitudes are precisely what makes the gray zone so dangerous, and what makes lawfare so attractive to U.S. adversaries. If the United States insists on customary alignment between threats, federal organizations, and capabilities, it certainly will fail to protect its citizens, its interests and its values."

The authors are speaking for themselves, and not for the Department of Defense or the US Government as a whole, but their article has been seized on as a representative sample of thinking on cyber conflict. We note in passing that American doctrine gives the staff judge advocate a significant role in the targeting process, so it's probably worth paying attention to what military lawyers are saying and writing about cyber response and retaliation.