REvil Demands $70M in Kaseya Ransomware Attack by using 0-Day

With the enormous supply-chain ransomware attack that provokes an infected chain negotiating thousands of businesses in the previous week, new information has arrived about how the well-known Russia-linked REvil cybercrime gang may take off the unusual hacks.

On Sunday the Dutch Institute for Vulnerability Disclosure (DIVD) disclosed it had alerted Kaseya to several 0-Day vulnerabilities in its VSA software (CVE-2021-30116) that it stated were being exploited as a duct to set up ransomware. A non-advantageous entity stated the organization was in the process of resolving the issues as part of a coordinated vulnerability disclosure when the attack of 2 July took place.

Moreover, the errors were not shared, but DIVD chair Victor Gevers clued that the 0-Days are irrelevant to exploit. At least one thousand businesses are said to have been harmed by the attacks, with victims discovered in less than 17 countries, such as the U.K., South Africa, Canada, Argentina, Mexico, New Zealand, Indonesia, and Kenya concerning ESET.

Kaseya VSA is a cloud-based IT management and remote monitoring solution for manage service providers (MSPs), contributing a centralized comfort to monitor and manage endpoints, automate IT procedures, set up security patches, and control access using two-factor authentication.

The demand of $70 Million Ransom by REvil 

Running since 2019 April, REvil aka Sodinokibi is well-known for extracting $ million from the meat-processor JBS early last month, with the ransomware-as-a-service business computing for about 4.6% of attacks on the public and private sectors in the first quarter of 2021.

Revil-Demands-70M-in-kaseya-Ransomware-Attack-by-using-0-Day-image1

REvil ransomware has demanded a price for decrypting all systems locked during Kaseya supply-chain attack. The group wants $ 70 million in Bitcoin for the tool that permits all infected businesses to restore their files.

The REvil gang posted on their dark web data leak site that “On 2 July 2021, we launched an attack on MSP providers. More than a million systems were infected. If anyone needs to compromise about universal decryptor – our price is $70 million in BTC and we will post publicly decryptor that decrypts files of all the victims, so everyone will be able to restore from attack in less than an hour.”

Revil-Demands-70M-in-kaseya-Ransomware-Attack-by-using-0-Day-image2

Kaseya, which has drafted the help of FireEye to help with its researches into the incident, stated it aims to “bring SaaS data centers back online on a one-by-one basis starting with our E.U., U.K.., and Asia-Pacific data centers followed by our North American data centers.”

On-premises VSA server will need the installation of a patch before a restart, the organization noted, adding it’s in the process of readying the fix for release on the 5th of July.

Advisory Issues of CISA

The progress has convinced the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to issue an attack, insistence customers to download the Compromise Detection Tool that Kaseya has made available to discover any indicators of compromise (IoC), permits multi-factor authentication, limit communication with remote monitoring and management (RMM) abilities to know the IP address pairs, and place administrative interfaces of RMM behind a VPN (a virtual private network) or a firewall on a devoted administrative network.

Barry Hensley, the Chief Threat Intelligence Officer at Secureworks told our experts “Less than ten companies across the customer based appear to have been harmed and the affect comes up to have been restricted to systems running the Kaseya software.”

“We have not seen proof of the threat attackers attempting to shift laterally or propagate the ransomware by negotiated networks. This means that organizations with broad Kaseya VSA arrangements are likely to be significantly more affected compare to only run it on one or two servers.”

Be negotiating a software supplier to target MSPs, who, in turn, gives an infrastructure or device-centric management and support to various small and medium businesses, the progress once again underscores the importance of protecting the software supply chain, which also indicates how adverse agents continue to advance their financial aims by mixing the twin threat of supply chain attacks and ransomware to strike hundreds of victims at once.

Kevin Reed information security officer at Acronis said that “MSPs are high-value targets—they have wide attack surfaces, creating them juicy targets to threat actors. One MSP can maintain IT for dozens to a hundred organizations: instead of negotiating 100 distinct companies, the threat actors only required to hack one MSP to achieve access to them all.” 

Leave a Reply