REvil With a Cause? The Kaseya Ransomware Attack

An affiliate of the notorious REvil gang, best known for extorting $11 million from the meat-processor JBS after a Memorial Day attack, infected thousands of victims in at least 17 countries on July 2, 2021, largely through firms that remotely manage IT infrastructure for multiple customers.

en flag
nl flag
et flag
fi flag
fr flag
de flag
he flag
ja flag
lv flag
pl flag
pt flag
ru flag
es flag

Content Assessment: REvil With a Cause? The Kaseya Ransomware Attack

Information - 95%
Insight - 90%
Relevance - 90%
Objectivity - 90%
Authority - 95%

92%

Excellent

A short percentage-based assessment of the qualitative benefit of the post highlighting an aggregation of announcements and articles commenting on the recent Kayesa ransonware attack.

Editor’s Note: From time to time, ComplexDiscovery highlights publicly available or privately purchasable announcements, content updates, and research from cyber, data, and legal discovery providers, research organizations, and ComplexDiscovery community members. While ComplexDiscovery regularly highlights this information, it does not assume any responsibility for content assertions.

To submit recommendations for consideration and inclusion in ComplexDiscovery’s cyber, data, and legal discovery-centric service, product, or research announcements, contact us today.

Industry Announcements and Article Extracts


Scale, Details of Massive Kaseya Ransomware Attack Emerge (The Associated Press)

Cybersecurity teams worked feverishly Sunday to stem the impact of the single biggest global ransomware attack on record, with some details emerging about how the Russia-linked gang responsible breached the company whose software was the conduit.

An affiliate of the notorious REvil gang, best known for extorting $11 million from the meat-processor JBS after a Memorial Day attack, infected thousands of victims in at least 17 countries on Friday, largely through firms that remotely manage IT infrastructure for multiple customers, cybersecurity researchers said.


REvil Ransomware Asks $70 Million to Decrypt All Kaseya Attack Victims (Bleeping Computer)

REvil ransomware has set a price for decrypting all systems locked during the Kaseya supply-chain attack. The gang wants $70 million in Bitcoin for the tool that allows all affected businesses to recover their files.

The attack on Friday propagated through Kaseya VSA cloud-based solution used by managed service providers (MSPs) to monitor customer systems and for patch management.

Customers of multiple MSPs have been impacted by the attack, REvil ransomware encrypting networks of at least 1,000 businesses across the world.


FBI Statement on Kaseya Ransomware Attack (Federal Bureau of Investigation)

If you feel your systems have been compromised as a result of the Kaseya ransomware incident, we encourage you to employ all recommended mitigations, follow guidance from Kaseya and the Cybersecurity and Infrastructure Security Agency (CISA) to shut down your VSA servers immediately, and report your compromise to the FBI at ic3.gov. Please include as much information as possible to assist the FBI and CISA in determining prioritization for victim outreach. Due to the potential scale of this incident, the FBI and CISA may be unable to respond to each victim individually, but all information we receive will be useful in countering this threat.

Read the original announcement.


CISA-FBI Guidance for MSPs and their Customers Affected by the Kaseya VSA Supply-Chain Ransomware Attack

CISA and the Federal Bureau of Investigation (FBI) continue to respond to the recent supply-chain ransomware attack leveraging a vulnerability in Kaseya VSA software against multiple managed service providers (MSPs) and their customers. CISA and FBI strongly urge affected MSPs and their customers to follow the guidance below.

CISA and FBI recommend affected MSPs:

  • Download the Kaseya VSA Detection Tool. This tool analyzes a system (either VSA server or managed endpoint) and determines whether any indicators of compromise (IoC) are present.
  • Enable and enforce multi-factor authentication (MFA) on every single account that is under the control of the organization, and—to the maximum extent possible—enable and enforce MFA for customer-facing services.
  • Implement allowlisting to limit communication with remote monitoring and management (RMM) capabilities to known IP address pairs, and/or
  • Place administrative interfaces of RMM behind a virtual private network (VPN) or a firewall on a dedicated administrative network.

CISA and FBI recommend MSP customers affected by this attack take immediate action to implement the following cybersecurity best practices. Note: these actions are especially important for MSP customer who do not currently have their RMM service running due to the Kaseya attack.

CISA and FBI recommend affected MSP customers:

  • Ensure backups are up to date and stored in an easily retrievable location that is air-gapped from the organizational network;
  • Revert to a manual patch management process that follows vendor remediation guidance, including the installation of new patches as soon as they become available;
  • Implement:
    • Multi-factor authentication; and
    • Principle of least privilege on key network resources admin accounts.

Resources:

CISA and FBI provide these resources for the reader’s awareness.  CISA and FBI do not endorse any non-governmental entities nor guarantee the accuracy of the linked resources.


Updates Regarding VSA Security Incident (Kaseya)

Next Update is planned to be published July 5th in the morning EDT.   The update will be published on the Kaseya.com support website (link here) in advance of the email being sent.  Checking this link is the fastest way to ensure that you have the latest information from Kaseya.

Kaseya’s VSA product has unfortunately been the victim of a sophisticated cyberattack.   Due to our teams’ fast response, we believe that this has been localized to a very small number of on-premises customers only.

Our security, support, R&D, communications, and customer teams continue to work around the clock in all geographies to resolve the issue and restore our customers to service.

This update provides further detail on the July 4, 2021 5:45 PM EDT and earlier updates.    

  • SaaS Restoration Timeline Updates – UPDATE 
  • Our executive committee met at 10:00 PM EDT and to best minimize customer risk, felt that more time was needed before we brought the data centers back online. 
  • They elected to meet again tomorrow morning at 8:00 AM EDT to reset the schedule with a goal of starting the restoration process to bring our datacenters online by end of day on July 5th local time (UTC) – but that timeframe is dependent on achieving some key objectives overnight. 
  • The next update will be tomorrow morning EDT after the executive committee reconvenes. 
  • On-Premises Patch Timeline Updates – NEW 
  • Once we have begun the SaaS Data Center restoration process (see SaaS Restoration Timeline Updates above), we will publish the schedule for distributing the patch for on-premises customers. 

Continued Advisory 

  • All on-premises VSA Servers should continue to remain offline until further instructions from Kaseya about when it is safe to restore operations.  A patch will be required to be installed prior to restarting the VSA and a set of recommendations on how to increase your security posture. 
  • We have been advised by our outside experts, that customers who experienced ransomware and receive communication from the attackers should not click on any links – they may be weaponized.
  • The new Compromise Detection Tool can be download at the following link:  VSA Detection Tools.zip | Powered by Box  This tool analyzes a system (either VSA server or managed endpoint) and determines whether any indicators of compromise (IoC) are present. 

Additional Reading

Source: ComplexDiscovery

Have a Request?

If you have information or offering requests that you would like to ask us about, please let us know and we will make our response to you a priority.

ComplexDiscovery is an online publication that highlights cyber, data and legal discovery insight and intelligence ranging from original research to aggregated news for use by business, information technology, and legal professionals. The highly targeted publication seeks to increase the collective understanding of readers regarding cyber, data and legal discovery information and issues and to provide an objective resource for considering trends, technologies, and services related to electronically stored information.

ComplexDiscovery OÜ is a technology marketing firm providing strategic planning and tactical execution expertise in support of cyber, data and legal discovery organizations. Registered as a private limited company in the European Union country of Estonia, one of the most digitally advanced countries in the world, ComplexDiscovery OÜ operates virtually worldwide to deliver marketing consulting and services.

U.S. Department of Treasury Takes Actions to Counter Ransomware

According to Treasury Secretary Janet L. Yellen, “Ransomware and cyber-attacks are...

The NATO Cooperative Cyber Defence Centre of Excellence (CCDCOE): September 2021 Cyber Events Report

The twelfth installment in the cyber events series published by the...

[Legal Education Webcast] Breaches, Responses, and Challenges: Cybersecurity Essentials That Every Lawyer Should Know

Every large corporation and organization today face the significant threat of...

Classifying Ransomware? A Ransomware Classification Framework Based on File-Deletion and File-Encryption Attack Structures

This paper evaluates attack methodologies of a ransomware attack: the underlying...

Mitratech Acquires Alyne

According to Mike Williams, CEO of Mitratech, "The combination of Alyne...

Magnet Forensics Acquires DME Forensics

According to the announcement, under the terms of the agreement, Magnet...

Consilio to Acquire Legal Consulting and eDiscovery Business Units of Special Counsel from Adecco

According to Laurie Chamberlin, Head of Professional Recruitment and Solutions North...

Nuix Acquires Natural Language Processing Company

According to Nuix CEO Rod Vawdrey, “Topos will strengthen Nuix’s product...

A New Era in eDiscovery? Framing Market Growth Through the Lens of Six Eras

There are many excellent resources for considering chronological and historiographical approaches...

An eDiscovery Market Size Mashup: 2020-2025 Worldwide Software and Services Overview

While the Compound Annual Growth Rate (CAGR) for worldwide eDiscovery software...

Resetting the Baseline? eDiscovery Market Size Adjustments for 2020

An unanticipated pandemeconomic-driven retraction in eDiscovery spending during 2020 has resulted...

Home or Away? New eDiscovery Collection Market Sizing and Pricing Considerations

One of the key home (onsite) or away (remote) decisions that...

Five Great Reads on Cyber, Data, and Legal Discovery for September 2021

From countering ransomware to predictive coding and packaged services, the September...

Five Great Reads on Cyber, Data, and Legal Discovery for August 2021

From the interplay of digital forensics in eDiscovery to collecting online...

Five Great Reads on Cyber, Data, and Legal Discovery for July 2021

From considerations for cyber insurance and malware to eDiscovery business confidence...

Five Great Reads on eDiscovery for June 2021

From remediating cyberattacks to eDiscovery pricing, the June 2021 edition of...

More Keepers? Predictive Coding Technologies and Protocols Survey – Fall 2021 Results

From the most prevalent predictive coding platforms to the least commonly...

Glowing Expectations? Eighteen Observations on eDiscovery Business Confidence in the Summer of 2021

In the summer of 2021, 63.3% of survey respondents felt that...

Issues Impacting eDiscovery Business Performance: A Summer 2021 Overview

In the summer of 2021, 24.4% of respondents viewed increasing types...

Looking Up? eDiscovery Operational Metrics in the Summer of 2021

In the summer of 2021, 80 eDiscovery Business Confidence Survey participants...