Late Friday last week, the REvil (Sodinokibi) ransomware gang hit thousands of businesses in a supply-chain attack that appeared to be targeting a zero-day vulnerability in Kaseya VSA. Having breached multiple managed service providers (MSPs), REvil proceeded to encrypt files of thousands of their customers.
Kaseya VSA, a cloud-based managed services platform, allows businesses to perform remote patch and client monitoring.
All affected MSPs used with Kaseya VSA.
“We are tracking 20 MSPs where Kaseya VSA was used to encrypt over 1,000 business and are working in close collaboration with six of them,” Huntress Labs’ John Hammond shared in a blog post about the attack.
At the time of the attack, Kaseya has been working on a patch to address the zero-day vulnerability reported to the company by DIVD researchers. But REvil managed to launch their attack on Friday before the patch was ready exploited in the REvil’s attack.
According to Kaseya, all VSA customers should immediately shut down their servers to prevent the attack’s spread.
REvil distributed its malware as an update patch for Kaseya VSA called ‘Kaseya VSA Agent Hot-fix’ with an agent.crt file. Using a PowerShell command, it will then disable Microsoft Defender and decode the agent.crt file using a native Windows certutil.exe command and start the encryption process.
Over 1,000 businesses have been affected by the cyberattack, among them Coop, a Swedish supermarket chain, which had to close approximately 500 stores. The good news is that REvil only encrypted networks. This means that they did not steal any of the victim’s data.
The ransomware gang is asking ransoms of $5 million from MSPs and smaller ransoms of $44,999 from the MSP’s customers who were encrypted.
President Barack Obama has directed US intelligence officials to investigate the attack and has not ruled out the possibility that it originated from Russia.
The FBI has launched an investigation into the incident and is working with various agencies to gather more information.
“The FBI is investigating the Kaseya ransomware incident and working closely with CISA and other interagency partners to understand the scope of the threat.”