REvil Ransomware Gang Demands $70M in Kaseya Software Supply Chain Attack

REvil graphic on laptop

The REvil ransomware gang demanded $70 million in a software supply chain attack involving American software company Kaseya.

A Vulnerability Involving Kaseya’s VSA Product

Kaseya published an update on July 2 in which it disclosed that it was “experiencing a potential attack against the VSA.”

A unified remote monitoring & management tool, VSA enables customers to obtain comprehensive visibility of their IT environments so that they can monitor their traditional endpoints, network devices, and other connected assets.

The IT and security management solutions provider for managed service providers (MSPs) and SMBs used its statement to recommend that customers immediately shut down their VSA servers and keep them disconnected until further notice.

“It's critical that you do this immediately because one of the first things the attacker does is shutoff administrative access to the VSA,” Kaseya warned.

A day later, the company confirmed that its VSA software had fallen victim to a sophisticated cyberattack involving ransomware. It urged all customers who came across the ransomware to not click on any links.

It went on to note that it had identified a vulnerability and that it was preparing a patch to help organizations secure their systems.

According to Bleeping Computer, researchers working with the Dutch Institute for Vulnerability Disclosure (DIVD) were originally responsible for bringing Kaseya’s attention to the zero-day vulnerability. Its security teams were in the process of working on a fix and rolling out a patch to its customers, but the ransomware actors apparently beat them to it and leveraged the same flaw to conduct their attack against Kaseya’s MSPs and those entities’ customers.

Kaseya’s fix wasn’t publicly available at the time of this writing. That didn’t stop threat actors from attempting to capitalize on news of the attack, however. Indeed, Zix | AppRiver spotted a malspam campaign that used a fake update from Microsoft (for some reason) to trick recipients into infecting themselves with Cobalt Strike payloads. 

A Look at the Attack’s Victims

In its July 3 update, Kaseya said that the attack had affected a small number of its customers “currently estimated at fewer than 40 worldwide.”

Bleeping Computer reported just three days later that the ransomware infection had compromised approximately 1,500 businesses worldwide.

Those victims included a Swedish grocery chain that closed the majority of its 800 stores for several days after the ransomware attack crippled its cash register software supplier.

Also among them was an unnamed IT services company that told German authorities that the attack had affected thousands of its customers, reported NPR.

REvil Gang Responsible for the Attack

After analyzing the forensic patterns, ransomware notes, and Tor URL associated with the attacks, Huntress concluded that a REvil affiliate was responsible for the intrusions.

Bleeping Computer analyzed one of those REvil samples used in the attacks. The computer self-help website found that the ransomware attackers were demanding a $5 million ransom to receive a decrypter from one of the samples. It also learned the ransomware gang was in the process of issuing a $44,999 ransom demand to Kaseya’s MSP customers.

But then REvil surprised everyone when it said it would hand over a universal decrypter for $70 million. Kaseya could use that tool to help all businesses affected by the attack to recover their data, Bleeping Computer reported.

REvil’s ransom ask is the largest demand ever made by a ransomware gang to date.

The U.S. Government’s Response

On July 3, President Biden made some remarks while visiting King Orchards Market in Central Lake, Michigan. He explained that his Administration didn’t know who was responsible for the attack and that it had “directed the full resources of the…government to assist in the response,” as quoted by The White House.

President Biden also indicated that the U.S. government would respond if news emerged of Russia having perpetrated the attack or having known about it beforehand.

It was a day later when The White House indicated that the FBI and the Cybersecurity & Infrastructure Security Agency (CISA) would be reaching out to victims to provide assistance based on their assessments of national risk.

That same day, CISA urged affected MSPs to download Kaseya’s VSA Detection Tool for the purpose of determining whether any Indicators of Compromise were present on their systems.

Using Email Security to Defend Against Software Supply Chain Attacks

The security incident involving Kaseya comes on the heels of the supply chain attacks involving SolarWinds and Microsoft’s Exchange Server software. Acknowledging these events, it’s important that organizations take an opportunity to harden their security postures against supply chain attacks. One of the ways they can do that is by investing in their email security. Kaseya made the point itself when it urged recipients to not click on any links as they might be weaponized. It’s possible digital attackers were using malicious emails to distribute those links.

Organizations should specifically consider investing in an email security solution that scans for malware signatures, campaign patterns, and other threat indicators. This tool should perform that level of analysis in real time so that legitimate business correspondence reaches its intended destination without any interruptions.

Learn how Zix | AppRiver can defend your organization against supply chain attacks such as the one that struck Kaseya.