On Friday, 2 July 2021, while Americans were preparing for the 4th of July celebrations, the IT company Kaseya became the target of a ransomware attack perpetrated by the Russia-based group REvil. This article explains how the attack developed and what preventive measures can be put in place to avoid becoming a victim of ransomware.
Kaseya is an IT company based in Florida. As reported on its website, it provides applications for remote monitoring, service automation, automation of compliance processes and monitoring of network performance. One of its applications, Kaseya VSA, on 2 July 2021 became the subject of a cyberattack. VSA offers remote monitoring and management of IT functions and is distributed in over 10 countries.
Finding and exploiting vulnerabilities
As reported by agendadigitale.eu, at the time of the attack the DIVD (Dutch Institute for Vulnerability Disclosure) was already analyzing the VSA platform because of some critical vulnerabilities it had identified. The hackers exploited one of these vulnerabilities, named CVE-2021-30116, to breach into the systems of the MSPs who were using the app.
More specifically, the vulnerability is an SQL injection that permits bypassing the authentication phase, thus allowing everyone to login to the platform. It is not clear how REvil came to know about the vulnerability. Nevertheless, it was able to carry out the attack before Kaseya had the time to prepare and distribute a patch.
The attacker: REvil
According to BBC.com, REvil is a cyber-criminal group based in Russia. Also known as Sodinokibi, it is one of the most prolific and most profitable hacker groups in the world and has repeatedly targeted American businesses. In May 2021 the FBI blamed it for paralyzing the operations of the company JBS, the largest supplier of meat products in the world. Also, in 2019 it was deemed to be behind an attack that targeted nearly two dozens local governments in Texas.
A supply-chain ransomware attack
The role of MSPs
The Kaseya attack is known as a supply-chain ransomware attack: instead of directly targeting the final user, hackers go after the software suppliers. In particular, the information security media outlet crn.com reported that around 40 Managed Service Providers (MSPs ) were compromised by the attack, with a cascade effect on all the clients they served.
MSPs usually manage tens or hundreds of businesses. By attacking them, hackers have the possibility to extend the attack to their customers, thus exploiting the multiplier effect and reaching a much wider base of devices. Indeed, shortly after the attack was carried out, the REvil group announced on its “Happy Blog” that they had infected more than one million individual devices.
According to Reuters.com, businesses were infected in all of the five continents, paralyzing hundreds of firms and institutions from small concerns, like dentists’ offices or accountants, to bigger disruption cases. For example, the Swedish supermarket chain Coop had to close hundreds of its outlets because their cash registers became inoperative as a result of the attack. Also, in New Zealand eleven schools and several kindergartens were knocked offline.
Reuters reports that they made contact with the hackers, and their representative told them that, while the Swedish disruption was not regrettable since supermarkets are “nothing more than a business”, the New Zealand case was an accident.
The ransom request
Then, the ransomware request came: REvil would provide a universal decryption key to Kaseya upon the payment of a ransom worth USD 70 million. The group asked for the ransom to be paid in Bitcoin: cryptocurrencies have become an increasingly preferred means of payment in these cases since they grant anonymity.
As reported by Reuters.com three days after the attack took place, Kaseya’s CEO Fred Voccola refused to say whether Kaseya was ready to negotiate with the hackers. By then, the company had made contact with the FBI and with CISA, the US federal Cybersecurity and Infrastructure Agency.
Reuters underlines how ransomware has become more and more profitable over the recent years. During the 2019 Texas attack the group demanded a total ransom of USD 2.5 million, way below the amount asked to Kaseya. It is therefore clear how the hackers’ aspirations have grown bigger over time and how their approach has become more measured and organised.
How it ended
The diplomatic effort
On July 8 CBSnews.com reported that the White House press secretary Jen Paski had said that a “high level” of US national security officials had contacted top Russian officials about the Kaseya attack. Paski made it clear that the US would hold Russia responsible for criminal actions taking place within its borders. Also, she reported that the two countries had scheduled a meeting for the following week.
As the BBC.com recollects, during a summit in Geneva held in June 2021 the US President Joe Biden had told the Russian President Vladimir Putin he had responsibility to rein over such cyber attacks. Also, Biden had given Putin a list of 16 critical infrastructure sectors, from energy to water, that should not be the subject of hacking.
REvil websites disappear
CSOonline.com, the outlet that provides news, analysis and research on security and risk management, reported that on 13 July the REvil ransomware gang websites suddenly went offline. As a result of this, some of the victims who were trying to negotiate with the hackers were unable to keep discussing a deal on how to recover data through a decryption key.
This event prompted a lot of speculation on whether the US or Russian government had taken action against the group. No comment was however received by either side.
In the meantime, Kaseya had been able to issue some patches in order to start solving the problem. Many businesses, however, were still unable to regain control over their encrypted devices.
Kaseya acquires a universal decryption key
On 22 July Kaseya announced that it had obtained a universal decryption key for the ransomware victims. It is not clear who supplied the key. Kaseya limited itself to saying that the key was provided by a “third party” and that the teams that were working with the victims had verified that the decryptor was not causing any problems or issues.
After the key proved to be 100% effective, Kaseya was asked whether it had obtained it upon payment of the requested ransom. The company stated that, after consulting with the experts, it had decided to not negotiate with the criminals who had perpetrated the attack and had not paid a ransom, either directly or indirectly, in order to obtain the decryptor.