Having previously made a name for itself on the criminal scene by attacking major companies such as Quanta Computer and Invernergy, REvil’s latest attack on software company Kaseya and its update service is believed to have affected several hundred companies worldwide. These so-called supply chain attacks specifically target companies whose software is used in many operations. The domino effect created in this way helps the attacker to spread quickly and as widely as possible.
In most cases, update services are manipulated for this purpose and serve as an entry vector for the attackers after being rolled out to the customer.
Then, as is typical for ransomware, data from the affected company is extracted and the infected systems are encrypted. Paying a ransom is supposed to delete the stolen data and provide the master key for the encrypted data. However, it is generally discouraged to comply with this demand for several reasons.
Characteristic of the Kasey Attack
The product affected in the latest case, VSA from the company Kaseya, is a solution for remote access, remote maintenance and software updates. Kaseya has since stopped its cloud service and recommends its customers turn off local VSA systems. The company says it has found the vulnerability and plans to close it soon. However, once the attacker has gained access to internal systems, further measures need to be taken.
Through the support of customers with ransomware, especially the REvil Ransomware Group, SECUINFRA is very familiar with the topic and quickly able to assess the scope of the infection and recommend damage-limiting measures.
In this context, SECUINFRA’s specialists had already come into contact with the REvil Ransomware during various deployments. One case showed that an attacker used SEO poisoning to place a domain as prominently as possible on Google in order to entice unsuspecting users to download malware in the form of the Gootkit Trojan. The malware disguised itself as an archive file and was automatically executed on the system when opened. This opened an entry point into the corporate network for the attackers, thus leading to the spread of the ransomware.
In order to completely clean and rebuild the systems, SECUINFRA analyzed the corporate network comprehensively and was also able to identify systems that were not encrypted and looked supposedly “clean“, but contained indications that the attacker had access to them.
SECUINFRA can provide you with comprehensive advice on the analysis, remediation and reconstruction of your systems. In doing so, we take on the role of incident handler and forensic expert (digital forensics).