Tech Director’s Perspective: Review of REvil Ransomware Attack


By Satya Gupta, Founder and CTO, Virsec

During July 4e REvil ransomware syndicate hit software vendor weekend Kaseya Ltd. and crippled more than 200 American companies. Criminals took advantage of a reduced security staff over the weekend to infiltrate up to 1,500 companies worldwide, according to Reuters. This number is sure to fluctuate as new information develops.

The Russian-linked ransomware group has encrypted entire networks in Kaseya’s supply chain and requested $ 70 million in cryptocurrency to provide a universal decryption key. REvil claimed that over a million individual devices were infected in what is considered the biggest ransomware attack to date.

The White House, the FBI and the Department of Homeland Security quickly took action, launching a thorough investigation into the crime and assisting the victims of the attack. Anne Neuberger, deputy national security adviser for cybersecurity and emerging technologies, urges anyone who believes their systems have been compromised in the Kaseya ransomware incident to report immediately at the Internet Crime Complaint Center.

Infiltrating the supply chain to deliver ransomware

Kaseya Ltd. provides network management software, and its Virtual Systems / Server Administrator (VSA) product aimed to distribute the ransomware through Kaseya’s managed service provider customers.

As attack on SolarWinds supply chain Targeting a third-party software vendor installed in all companies and infecting its customers, the REvil malware spread to customers by exploiting vulnerabilities in its VSA software. As the software was deployed by the customer, the malware automatically spread laterally across the software infrastructure.

the Associated Press reported Kaseya CEO Fred Voccola said only a small percentage of its 37,000 customers were compromised. But of those 50 or 60 compromises, “70% were managed service providers who use the company’s pirated VSA software to manage multiple clients. It automates the installation of software and security updates and manages backups and other vital tasks.

Kaseya quickly posted an alert for its customers on July 2, 2021, and said its security team will continue to work around the clock in all geographies to resolve the issue and restore service to its customers, providing updates as soon as they are available. would be available.

Zero-Day Attack Confirmed

On July 6, 2021, Kaseya confirmed that REvil exploited a zero-day attack on its software code. Kaseya posted on incident overview and technical details on its website. The investigation is ongoing and the company will provide more information on this link as soon as it becomes available.

Kaseya reported that on July 2, 2021, the company received reports from customers that they had detected ransomware running on their devices. Kaseya confirmed that the attackers were “able to exploit zero-day vulnerabilities in the VSA product to bypass authentication and execute arbitrary commands.” This allowed attackers to exploit the standard functionality of the VSA product to deploy ransomware to endpoints.

Kaseya listed specific Indicators of Compromise (IOCs), which included network IOCs, web log indicators, endpoint IOCs, as well as files that were used as part of the encryption deployment.

Kaseya configures an additional layer of security for its Software as a Service (SaaS) infrastructure which will change the underlying IP address of the VSA servers and provide a patch. As of July 7, 2021, the update has not been released due to an unresolved issue, according to Kaseya’s security team.

Customers can download Kaseya VSA Compromise Detection Tool for their networks and stay tuned to Kaseya Helpdesk for the latest developments.

A closer look at the REvil Ransomware group

REvil, also known as Sodinokibi, is a notorious Ransomware-As-A-Service (RaaS) gang. The criminals were behind ransomware attack on global meat processor JBS in May 2021, where they reported a ransom of $ 11 million.

REvil favors two types of modus operand: phishing attacks on personal devices and exploits on publicly disclosed vulnerabilities that have not been patched to gain access to an organization’s IT infrastructure.

REvil rents the malware it creates to black market affiliates, who use it to reach targets of their choice – ideally those who haven’t had time to apply necessary updates to web software, leaving them exposed. After extracting the ransom, affiliates share a percentage of their income with REvil.

REvil can also encrypt a user’s files to gain administrative access to a direct target by exploiting a privilege escalation vulnerability such as in Oracle WebLogic (CVE-2019-2725) or under Windows (CVE-2019-8453). The group is known to infiltrate networks and steal sensitive data before an attack. The criminals then use the threat of exposing this data as an additional incentive for their victim to pay the ransom.

REvil supply chain ransomware attack technique

Let’s review the unfolding of the ransomware attack against Kaseya and its supply chain:

The attacker infiltrated Kaseya and / or its customers’ infrastructure via a zero-day vulnerability in Kaseya’s VSA code. Exploitation of this vulnerability allowed the attacker to gain administrative access and set up a reverse channel to his command center. Then, the attacker used the reverse channel to remove and run the REvil malware on the victim’s infrastructure.

These operations are summarized in the diagram below:

Operation REvil Ransomware

After the compressed REvil malware is removed and executed on the victim’s computer, the malware decompresses and builds the active REvil code directly into memory. Then it extracts the encryption key from a configuration file. This key is also buried in the Windows registry key for persistence. Then, REvil determines whether the victim is from a friendly country or not. It stops if the victim is from a friendly country. If the victim is not from a friendly country, the malware erases all backups, encrypts all backups storage, encrypts storage, and increases the demand for ransomware. If the victim does not pay the ransom within the allotted time, the attacker threatens to make public the confidential information he gathered before encrypting the drive. If the victim pays the ransom, the attacker provides the decryption key.

Application-specific ransomware protection

Virsec security platformUnique Application Sensitive Protection (VSP) protects critical software, including operating system services, proprietary and third-party software and applications at run time, even if left unpatched or exhibited unknown vulnerabilities hidden in the code.

When the ransomware attack attempts to start, VSP automatically recognizes that code produced by an attacker or influenced by an attacker is attempting to execute and immediately stops it without even a single instruction executing. VSP relies on legitimate application code as the source of truth, so it does not require prior knowledge of threats.

As legitimate code executes, Virsec’s patented AppMap® technology automatically maps and monitors actual code execution. Therefore, if an application attempts to deviate from its AppMaps, VSP instantly treats the deviation as a threat and blocks further execution. The attack is then stopped in the early stages of the kill chain because VSP prevents the exploitation of known and undisclosed vulnerabilities.

Deterministically disable ransomware

VSP deterministically disables ransomware arming steps with unique process monitoring capability in VSP Host. Subsequent activities, such as executing shell code, are disabled, and any attempt to modify files on disk is detected and canceled.

By deploying and configuring VSP Host with its significant file signing database capability, VSP ensures that only intended software will run. All other software, including malware with and without files, is completely blocked before it is executed. If a network is already infected with ransomware, VSP can be installed to locate malware lurking in an organization’s infrastructure.

Take immediate action

Cybersecurity and Infrastructure Security Agency (CISA) directives issued for affected customers, by encouraging organizations to review Kaseya Council and immediately follow their instructions to shut down the VSA servers. CISA recommends taking immediate steps to implement the following cybersecurity best practices:

  • Make sure backups are up to date and stored in an easily retrievable location separate from the organization’s network

  • Return to a manual patch management process that follows vendor remediation advice, including installing new patches as they become available

  • Enforce:

You want to know more ?

Schedule a demo to have Virsec security platform defend against attacks in real time.

*** This is a Syndicated Security Bloggers Network blog by Virsec blog written by Virsec. Read the original post on:

Leave A Reply

Your email address will not be published.