REvil Ransomware Attack; Cyber Experts Respond

More commentary is coming in on the REvil ransomware attack. Our earlier piece gave the top-down view; now the details are starting to get out; we’re updating details and passing through the comments of some of the best security and IT infrastructure firms in the world.

Matt Sanders, Director of Security, LogRhythm (July 7)

This is unfortunately a major reminder that ransomware attacks continue to be an increasing threat to companies, critical infrastructure organisations and government agencies at all levels. This attack is especially dangerous because Kaseya is used by many Managed Service Providers that many businesses trust to handle their IT functions to such as endpoint inventory, patching, and software deployment. With up to 1,500 possible businesses affected from the Kaseya ransomware attack, the impacts from the attack will be felt for months to come.

Recovering from a ransomware attack takes time, and a well-rehearsed incident response plan will prove invaluable should the worst happen. Aside from planning their response to a successful attack, organisations should keep their prevention and detection technologies top of mind by ensuring that they have the appropriate protective controls in place, as well as visibility into what is happening across their environment. A properly configured security monitoring solution that has full visibility into the environment with robust automated response capability would help organisations such as Kaseya identify malicious activity and thwart bad actors before ransomware can take hold.”

Jeff Costlow, Chief Information Security Officer, ExtraHop

Kaseya is a terrifying example of how quickly cybercriminals are adopting Advanced Persistent Threat (APT) tactics. In the Kaseya attack, the threat actors deliberately targeted a well-established but little-known software management firm that would allow them access to hundreds of other environments. They meticulously researched their target and found a zero day flaw in their software. They then exploited it and waited for a long holiday weekend to detonate their ransomware.

This technique parallels almost exactly the techniques used by nation-state adversaries in the NotPetya attack four years ago –– which used an exploit in Ukrainian tax software MeDoc –– and more recently, in the SolarWinds SUNBURST attack. Both NotPetya and SUNBURST used exploits in software that was widely used but little known to the public to disseminate malware on a massive scale. Both waited for national holidays (the former in the Ukrainian, the latter in the US) when many were out of the office to detonate their attacks.

The fact that techniques that were once the dominion of the most advanced nation states are now being used to extract multi-million dollar ransoms should serve as a stark warning for every organisation and every software vendor. The threat of sanctions or other diplomatic repercussions is of no concern to cybercriminals that operate outside the bounds of any government. Ransomware is now an advanced persistent extortionate threat –– one that’s far more calculated than opportunistic.

Jamie Moles, Senior Security Engineer, ExtraHop

The recent Kesaya ransomware attack will trigger a rise in culpability for third party suppliers who don’t protect their direct customers. It’s futile if businesses protect themselves from attacks but the vendors in their supply chain they depend on have little to no protection to fend off attacks.

Attacks such as the latest one on Kesaya aren’t new. Attackers are just getting better at it and we are more and more reliant on external entities for services.

Digitising business processes and more remote and flexible working makes this a growing problem which naturally introduces more areas to track and protect.

Zero trust frameworks, which assume you can’t trust anyone, are being adopted to fight supply chain attacks. However, businesses need visibility to understand how to identify if anything is lurking on their IT network. When organisations have complex supply chains, they need visibility across all customers to protect against any threats. It’s not about guessing where the next attack comes from, it’s about protecting from the unknown.

Employing a triad of security tools formed of network detection and response, endpoint detection and response and security information and event management provides the gold standard for detection and protection from bad actors.

Srikant Vissamsetti, Senior Vice President Engineering, Attivo Networks

Attackers steal and destroy information as part of their attacks, whether they seek to move deeper into the system or to hold data for ransom. Since Kaseya VSA runs on all endpoints and servers, this compromise provided the ransomware operator access to all systems without requiring any lateral movement. Organisations need functions that hide and deny access to local files, folders, removable storage, network or cloud shares, local administrator accounts and application credentials. By denying attackers the ability to see or exploit critical data, organisations can disrupt their discovery or lateral movement activities and limit the damage from ransomware attacks.

Adam Meyers, Senior Vice President, Intelligence, CrowdStrike

Based on CrowdStrike’s telemetry, the recent ransomware attack on Kaseya has all the hallmarks of the threat actor PINCHY SPIDER, operator of REvil ransomware and suspected culprit of the recent attack on JBS. Make no mistake, the timing and target of this attack are no coincidence. It illustrates what we define as a Big Game Hunting attack, launched against a target to maximise impact and profit through a supply chain during a holiday weekend when business defenses are down. What we are seeing now in terms of victims is likely just the tip of the iceberg. The continued success of large software supply chain attacks provides an ominous outlook for organisations of all sizes as threat actors observe how profitable and wide ranging they can be. Organizations must understand that these headlines are no longer warnings, but are a reality of what is in their future if they have not established a mature cybersecurity strategy.

Corey Nachreiner, CSO, WatchGuard Technologies

The Kaseya ransomware attack underscores the importance of multilayered security for MSPs as well as enterprises. While novel attacks like this are impossible to predict, having protection across networks and endpoints can help minimize the worst effects until patches and other measures can be taken.

BlackBerry (7 July)

John McClurg, CISO of cybersecurity software and services company BlackBerry says this attack serves as a broader warning to businesses across the board.

“Acting as a RaaS, REvil relies on affiliates or partners to perform its attacks. The REvil developers receive a percentage of all proceeds from ransom payments. Because the ransomware is distributed by different entities, the initial infection vector can vary; typically, this is either via phishing campaigns, brute force attacks to compromise RDP, or through software vulnerabilities. REvil has not yet been caught, and ransomware-as-a-service will only continue to grow.

“However, organisations can avoid becoming victims by stopping malware at the exploitation stage through increasing resilience, reducing infrastructure complexity, and streamlining security management. Endpoint detection and response (EDR) focused solutions often take action too late and cannot always stop breaches. Prevention is the best strategy; stopping attacks before they execute. This is entirely possible with next generation solutions that use AI to identify and block malware. Organisations must lead with a prevention-first approach using the fullest capabilities of AI.”

Demands (6 July)

REvil’s demands are starting to leak out today; so far, the total has is between $50 and $70 million. The REvil has claimed that a million machines were compromised.

Jack Cable of the cybersecurity-focused Krebs Stamos Group pointed out one of the gang’s affiliates said he could sell a “universal decryptor” for all the victims for $50 million. KSG has strong ties to the US Government, with co-founder Chris Krebs serving as first Director of the Cybersecurity and Infrastructure Security Agency.

The Reuters news agency said they had been able to log on to the payment portal and chat with an operator who said the price was unchanged at $70 million, “but we are always ready to negotiate.”

Multiple sources have said that REvil is demanding that victim companies pay $45,000 in the cryptocurrency Monero to gain back access to their systems, warning that the payment will double each week they fail to pay up.

Restoration could take weeks – Victims (6 July)

Mark Loman, director of engineering at cybersecurity firm Sophos said, “Depending on how big your business is and if you have backups, it can take weeks before you have restored everything, and as the supermarkets in Sweden have been impacted, they can lose a lot of food and revenue.”

New Zealand said on Monday that 11 schools and several kindergartens were affected by the ransomware attack.

“Of the 11 schools (out of roughly 2,500) we initially identified as possibly having been impacted by this global ransomware attack:

Two have confirmed they are not impacted as they have not used this software for some time
Two have confirmed they use the software and have been impacted by ransomware. They have taken steps to contain the issue which may have a short-term operational impact. There is no evidence of data loss at this stage
Seven also use the software but have no evidence of impact and have shut down the impacted services as a precautionary measure.”

CyberArk (6 July)

Lavi Lazarovitz, Sr. Director of Cyber Research, CyberArk Labs updated us on this morning on their read on the situation:

“The attack patterns in the compromise of the Kaseya VSA solution are reminiscent of the Cloud Hopper campaign. With Cloud Hopper, one phishing attack at one endpoint went on to impact hundreds of firms that had relationships with breached cloud providers. For one victim, the attack cycle continued for at least five years. If this attack bears any resemblance to previous examples, then we need to remember that for attackers, it’s all about capitalizing on network decentralization and connectivity. Why? Because this equates to scale…and impact. Most importantly, in the Kaseya incident, the attackers are focusing on the compromise of trusted software, trusted processes and trusted relationships. Targeting trusted services allows the threat actors to leverage this trust and the granted permissions and access. In early communications by Kaseya, the company warns of the criticality of shutting down the servers that VSA runs on, “because one of the first things the attacker does is shut off administrative access to the VSA.” Monitoring and protecting this admin, or privileged, access is critical to identifying and mitigating the risk of lateral movement and further network compromise. In the case of an MSP, controlling admin rights means attackers can gain incredible scale – likely across hundreds of the MSP’s customers. Privileged credentials continue to be the attackers’ ‘weapon of choice’ and are utilized in nearly every major targeted attack.”

Qualys (5 July)

Cloud Platform security and intelligence specialist Qualys was another respondent to our requests for commentary. Qualys services 19,000 global businesses in more than 130 countries.

“Supply chain attacks should be top of mind for all companies, including those using Managed Service Providers (MSP). It’s essential to do due diligence on who is hosting and managing your data.

While you can outsource the work, you can’t outsource the risk – almost everyone is susceptible to supply chain attacks.

Companies need to make sure they have the proper protocols and robust third-party risk assessments in place ahead of these attacks so they can respond efficiently. This way, if there is an attack, you have options for redundancies ready to be put in place, and you can pivot to an alternative solution with minimum impact on your business.”

Sophos Labs (5 July)

Sophos Labs was on to the attack early, and they provided us with a facsimile of the actual extortion notice:

Ross McKerchar, Sophos Vice President and Chief Information Security Officer said, “This is one of the farthest reaching criminal ransomware attacks that Sophos has ever seen. At this time, our evidence shows that more than 70 managed service providers were impacted, resulting in more than 350 further impacted organisations. We expect the full scope of victim organizations to be higher than what’s being reported by any individual security company. Victims span a range of worldwide locations with most in the United States, Germany and Canada, and others in Australia, the U.K. and other regions.”

Mark Loman, Sophos Director of Engineering, added to McKerchar statement, saying: “Sophos is actively investigating the attack on Kaseya, which we see as a supply chain distribution attack. The adversaries are using MSPs as their distribution method to hit as many businesses as possible, regardless of size or industry type. This is a pattern we’re starting to see as attackers are constantly changing their methods for maximum impact, whether for financial reward, stealing data credentials and other proprietary information that they could later leverage, and more. In other widescale attacks we’ve seen in the industry, such as WannaCry, the ransomware itself was the distributor – in this case, MSPs using a widely used IT management are the conduit.

“Some successful ransomware attackers have raked in millions of dollars in ransom money, potentially allowing them to purchase highly valuable zero-day exploits. Certain exploits are usually only deemed attainable by nation-states. Where ‘nation-states’ would sparingly use them for a specific isolated attack, in the hands of cybercriminals, an exploit for a vulnerability in global platform can disrupt many businesses at once and have impact on our daily lives.

“A day after the attack, it became more evident that an affiliate of the REvil Ransomware-as-a-Service (RaaS) leveraged a zero-day exploit that allowed it to distribute the ransomware via Kaseya’s Virtual Systems Administrator (VSA) software. Usually, this software offers a highly trusted communication channel that allows MSPs unlimited privileged access to help many businesses with their IT environments.”

Based on Sophos threat intelligence, REvil has been active in recent weeks, including in the JBS attack, and is currently the dominant ransomware gang involved in Sophos’ defensive managed threat response cases.