Kaseya attack: $70 million ransom demanded

by | July 8, 2021 | Cybersecurity News

If you still haven’t paid attention to the Kaseya ransomware recent attack, you should take a closer look. This attack is even bigger than the Exchange hacks by China that occurred in January this year, or the Colonial Pipeline ransomware incidents.

The ransomware gang called REvil has taken credit for this past Friday Kaseya attack that has affected more than 1.000 businesses worldwide.

The attackers are asking for a $70 million ransom in bitcoin for publishing a public universal decryptor that is believed to unlock all affected computers.

The Record reported that REvil posted a message taking responsibility for the attack on its blog from the dark web.

Source: The Record

Background info about Kaseya

  • Kaseya is an American software company that develops software for managing systems, networks and IT (information technology) infrastructure.
  • Its costumers use Kaseya to manage their information.
  • This company can deploy software to the systems under management, in a way that is equivalent to a software provider deploying an automatic update to those devices.

Who are the attackers?

REvil, a Russian-based group, also known as Sodinokibi, is a famous cybercriminal gang that has used ransomware to attack big-name companies like Apple and Acer.

Most recently, it targeted JBS, the biggest meat processing company in the world, that paid it $11 million in bitcoin to reduce damage from the attack and protect its data.

They are seen as the most dangerous ransomware attackers out there, being guilty of around 29% of such attacks in 2020, according to a recent report by IBM’s Security X-Force unit:

“REvil ransomware has been advertised on underground forums for three years and it is one of the most prolific Ransomware as a Service (RaaS) operations”.

The report estimated that REvil took ransoms worth at least US$ 123 mil in 2020.

How bad was the attack?

The attack is considered to be the largest global ransomware attack on record. Areas affected are financial services, travel and leisure, and public sector computer system located across 17 countries. In addition, Swedish supermarket chain Coop was forced to close 800 off its stores for several days because its cash register software supplier was affected by the ransomware attack.

The Kaseya attack is believed to have impacted as many as 1.500 organizations when attackers targeted multiple MSPs (managed service providers) which are companies that provide remote IT services to hundreds of smaller businesses that don’t have the resources to assume those functions themselves.

A director of security at LogRhytm, Matt Sanders, says the attack is a reminder that ransomware attacks continue to be an increasing danger to companies, critical infrastructure organizations, and government agencies at all levels. He also added that:

“This attack is especially dangerous because Kaseya is used by many Managed Service Providers that many businesses trust to handle their IT functions, such as endpoint inventory, patching, and software deployment”.

Matt Sanders

How did it happen?

The Kaseya attack is a so-called software supply chain ransomware attack, in which cyber threat actors infiltrate the software supplier’s network and send malicious code to destroy the software before the supplier sends it to the customer. The infected software then affects the customer’s data or system. Hackers targeting SolarWinds software use this type of attack to infiltrate major federal agencies and companies in the United States.

Basically, Kaseya sells its products to MSP, which uses Kaseya’s VSA cloud platform to manage and send software updates to these businesses and also resolving other issues.

In Kaseya’s case, initial reports said that REvil gained access to the company’s backend infrastructure and used it, and send an update with malware to VSA servers running on client premises. The malicious update installed the ransomware from the VSA server on all connected computers, stated the Record. An analysis of the attack was made by Kaspersky:

This script disables Microsoft Defender for Endpoint protection features and then uses the certutil.exe utility to decode a malicious executable (agent.exe) that drops a legitimate Microsoft binary (MsMpEng.exe, an older version of Microsoft Defender) and malicious library (mpsvc.dll), which is the REvil ransomware. This library is then loaded by the legitimate MsMpEng.exe by utilizing the DLL side-loading technique (T1574.002)”.


Therefore, the ransomware spread to other organizations that were connected to the VSA systems.  However, specific details about the attack are still uncertain, and information is constantly evolving.

FBI and CISA offers direction

FBI released a statement on Saturday, where they announced a coordinated investigation of the attack with CISA.

We encourage all who might be affected to employ the recommended mitigations and for users to follow Kaseya’s guidance to shut down VSA servers immediately. As always, we stand ready to assist any impacted entities.”

FBI security alert

The next day, the FBI updated its guidance and have encouraged impacted companies to follow newly developed mitigations and report the attack to the agency.

If you feel your systems have been compromised as a result of the Kaseya ransomware incident, we encourage you to employ all recommended mitigations, follow guidance from Kaseya and the Cybersecurity and Infrastructure Security Agency (CISA) to shut down your VSA servers immediately, and report your compromise to the FBI at ic3.gov.

FBI Guidance

CISA posted some recommendations for mitigation including:

  • download the Kaseya VSA Detection Tool. This tool analyzes a system and determines whether any indicators of compromise are present
  • enable and enforce multi-factor authentication (MFA) on every account of the organizations and, to the maximum extent possible, enable and enforce MFA for customer-facing services
  • implement allow listing to limit communication with remote monitoring and management (RMM) abilities to know IP address pairs
  • place administrative interfaces of RMM behind a VPN (virtual private network) or a firewall on a dedicated administrative network.

President Joe Biden ordered on Sunday US intelligence agencies to investigate the ransomware attack! He also stated that he and other US agencies were “not certain” who was behind the attack:

“The initial thinking was it was not the Russian government but we’re not sure yet.”

US President, Joe Biden

In an interview on Sunday, Kaseya CEO Fred Voccola would not confirm the use of zero-day vulnerabilities or provide detailed information about the breach, except that it was not phishing, and he was confident that when the cybersecurity company’s investigation is completed, It will show that the attacker not only compromised Kaseya but also compromised third-party software.


Photo by Giorgio Trovato on Unsplash

by Andreea Popa

Content writer for Attack Simulator, delivering your daily dose of awareness for cyber security! Love to write passionately about any subject and my mainly inspiration are people's stories. You can also find me on social media, for some more friendly things!

There’s no reason to postpone training your employees

Get a quote based on your organization’s needs and start building a strong cyber security infrastructure today.