Hot Potatoes: A ransomware attack has attacked hundreds of companies across the United States, in an attack on the supply chain using the Kaseya VSA (Remote Monitoring and Information Technology Management) system. While Kaseya claims that fewer than 40 of its more than 36,000 customers have been affected, targeting large managed service providers has resulted in significant numbers of downstream customers being affected.
Kaseya stated that he was notified of a security incident on Friday afternoon, as a result of which they put their cloud services on maintenance mode and issued a security advice to all customers. Has a local VSA shut down the server until further notice, because "One of the first things an attacker can do is turn off administrative access to VSA." Kaseya also reported to the FBI and CISA and launched an internal investigation. The company said in a second update that the Cloud VSA shutdown was merely a precaution, and that customers using their SaaS servers were "never at risk." He also said that the service will be suspended until the company is sure it will resume operations, and at the time of writing, the VSA cloud has been extended until 9 AM ET.
What do infected systems look like. Photo: Kevin Beaumont, via DoublePulsar
Ransomware band REvil Delivery via standard software automatic update. It then uses PowerShell to decrypt and extract its contents while suppressing several Windows Defender mechanisms such as real-time monitoring, cloud search, and controlled folder access (a built-in Microsoft ransomware feature). The shipment also includes an older (but legal) version of Windows Defender, which is used as a trusted executable to run an encrypted DLL.
It is not yet clear if REVil steals any data from victims before activating the ransomware and encryption, but the group has done so in previous attacks.
The scale of the attack continues to expand. Supply chain attacks such as those that threaten weak upstream links (rather than hitting targets directly) can lead to their widespread destruction if used on a large scale – as is the case with VSA Kaseya. In addition, it appears that he arrived over the weekend of July 4 to reduce the availability of staff to deal with the threat and slow down the response.
Screenshot from Kaseya VSA Software Management
BleepingComputer Initially, eight MSPs were reported to have been attacked, and Huntress Labs, a security company of 200 companies, was contacted by three MSPs working with them. , he knows. However, further updates from John Hammond of Hunters show that the number of people affected by MSP and downstream clients is much higher than initially reported and continues to grow. p>
** <40. Kaseya affects less than 40 clients. pic.twitter.com/PyENI96A5E- John Hammond Jul 3, 2021
The request is very different. This means paying Monero cryptocurrency, the highest ransom seems to start at $44,999, but can reach up to $5 million. Likewise, when the payment is due - and then the ransom double - appears to differ between victims.
Of course, both numbers probably depend on the size and scale of the goal achieved. REVil, which US officials believe has ties to Russia, received $11 million from JBS meat processors last month and claimed $50 million from Acer in March. Documentary: The Sleeping Computer
Massive ransomware attack swept hundreds of US companies