< Overview
Since 2019, the family of ransomware groups has grown by one more member. REvil (Ransomware Evil, formerly also Sodinokibi) is a ransomware group that is believed to be based in Russia and operates globally. In doing so, REvil does not act alone, but licenses its malware to other criminal actors as Ransomware-as-a-Service.

Kaseya: Supply-Chain-Attack

Overview

Having previously made a name for itself on the criminal scene by attacking major companies such as Quanta Computer and Invernergy, REvil’s latest attack on software company Kaseya and its update service is believed to have affected several hundred companies worldwide. These so-called supply chain attacks specifically target companies whose software is used in many operations. The domino effect created in this way helps the attacker to spread quickly and as widely as possible.

 

REvil pleads guilty to attack on Kaseya

REvil pleads guilty to attack on Kaseya

 

In most cases, update services are manipulated for this purpose and serve as an entry vector for the attackers after being rolled out to the customer.

Then, as is typical for ransomware, data from the affected company is extracted and the infected systems are encrypted. Paying a ransom is supposed to delete the stolen data and provide the master key for the encrypted data. However, it is generally discouraged to comply with this demand for several reasons.

Characteristic of the Kasey Attack

The product affected in the latest case, VSA from the company Kaseya, is a solution for remote access, remote maintenance and software updates. Kaseya has since stopped its cloud service and recommends its customers turn off local VSA systems. The company says it has found the vulnerability and plans to close it soon. However, once the attacker has gained access to internal systems, further measures need to be taken.

Through the support of customers with ransomware, especially the REvil Ransomware Group, SECUINFRA is very familiar with the topic and quickly able to assess the scope of the infection and recommend damage-limiting measures.

In this context, SECUINFRA’s specialists had already come into contact with the REvil Ransomware during various deployments. One case showed that an attacker used SEO poisoning to place a domain as prominently as possible on Google in order to entice unsuspecting users to download malware in the form of the Gootkit Trojan. The malware disguised itself as an archive file and was automatically executed on the system when opened. This opened an entry point into the corporate network for the attackers, thus leading to the spread of the ransomware.

In order to completely clean and rebuild the systems, SECUINFRA analyzed the corporate network comprehensively and was also able to identify systems that were not encrypted and looked supposedly “clean“,  but contained indications that the attacker had access to them.

SECUINFRA can provide you with comprehensive advice on the analysis, remediation and reconstruction of your systems. In doing so, we take on the role of incident handler and forensic expert (digital forensics).

SECUINFRA Falcon Team · Author

Digital Forensics & Incident Response Experten

Neben den Tätigkeiten, die im Rahmen von Kundenaufträgen zu verantworten sind, kümmert sich das Falcon Team um den Betrieb, die Weiterentwicklung und die Forschung zu diversen Projekten und Themen im DF/IR Bereich.

Das SECUINFRA Falcon Team ist auf die Bereiche Digital Forensics (DF) und Incident Response (IR) spezialisiert. Hierzu zählen die klassische Host-Based Forensik, aber auch Themen wie Malware Analysis oder Compromise Assessment gehören zu diesem Aufgabengebiet. Neben den Tätigkeiten, die im Rahmen von Kundenaufträgen zu verantworten sind, kümmert sich das Falcon Team um den Betrieb, die Weiterentwicklung und die Forschung zu diversen Projekten und Themen im DF/IR Bereich.  Dazu zählen beispielsweise Threat Intelligence oder die Erstellung von Erkennungsregeln auf Basis von Yara.

Digital Forensics & Incident Response experts

In addition to the activities that are the responsibility of customer orders, the Falcon team takes care of the operation, further development and research of various projects and topics in the DF/IR area.

The SECUINFRA Falcon Team is specialized in the areas of Digital Forensics (DF) and Incident Response (IR). This includes classic host-based forensics, but also topics such as malware analysis or compromise assessment. In addition to the activities for which we are responsible within the scope of customer orders, the Falcon team is also responsible for the operation, further development and research of various projects and topics in the DF/IR area. These include, for example, threat intelligence or the creation of detection rules based on Yara.

> All posts

Beitrag teilen auf: