Kaseya VSA – a target of the largest ransomware attack ever

13. July 2021

On Friday, July 2, in the evening, the world was shaken by a massive ransomware attack targeting a remote server management application called the Kaseya Virtual Server Administrator, used for remote management of end user stations [1].

It is not uncommon that the major attack took place just before the Fourth of July holiday with a shorter workday, as ransomware attacks usually take advantage of the fact that late at night or just before the weekend there is fewer staff monitoring the security of information systems, and moreover, a malicious programme itself needs enough time to encrypt the files.

Currently, we know that about 50 companies in 17 countries around the world have been paralysed; they are direct users of Kaseya VSA, whereas many of them deal with the management of end user IT services. For this reason, the end users were also affected by the attack. 1,500 end users were attacked, and according to Kaseya CEO Fred Voccola, they mostly included small end users such as doctors’ surgeries, libraries, IT companies or various construction companies [2][3][4].

Among those affected were also larger end users such as Coop, one of Sweden’s largest supermarket store chains that had to shut down nearly 800 stores across the country after the attack crippled the cash register software supplier [5].

According to President Joe Biden, large American companies have not been much affected. In Europe, several large end user IT management companies have been attacked. In terms of end user victims, Germany reports more than 1,000 end users affected, and the Netherlands two major IT companies VelzArt and Hoppenbrouwer Techniek [6].

It is the largest single ransomware attack in history ever, as the REvil gang responsible for the crime demanded on its blog, shortly after the attack, a $70 million ransom in Bitcoin from Kaseya for providing a universal decryption key. From individual end users being attacked, the gang demanded ransoms of varying amounts of up to $5 million [7].

Later on July 5, a security researcher Jack Cable reported on Twitter that the attackers had lowered the price and the final amount of ransom at the time of releasing this article was $50 million [8].

After paying this astronomical amount the attackers promised to make a universal decryption key available for free downloading.

Due to the liquidation ransom imposed on Kaseya, some of the affected companies focused on individual negotiations with the attackers, while they do not disclose whether an agreement has been made and the ransom has been paid.

REvil gang aka Sodinokibi, who is behind the attack on Kaseya, is already a well-known notorious group. They are no newcomers on the underground scene, which is underlined by the fact that they have been famous for their sophisticated operations since 2018, providing “ransomware as a service”. According to Kaspersky researchers, this organized group had a net income of around 100 million dollars from their malicious operations last year [9].

The last known case reported by REvil were the attacks on meat-processor JBS Company, from which the gang extorted 11 million dollars [10].

Technical details and the course of the attack

Initial reports raised speculations that it could have been a supply chain attack similar to the one experienced in the SolarWinds Orion software case of December 2020, when the US attributed these malicious activities to the Russian intelligence service [11]. These speculations of the supply chain attack were negated four days later [12], with the most likely scenario today that the attackers exploited multiple zero-day vulnerabilities directly of VSA on-premise software installations at Kaseya’s customers [13] [14].

Details of how the hackers learned of the vulnerabilities have not yet been publicly released. However, we know that the Dutch Institute for Vulnerability Disclosure (DIVD) reported vulnerabilities to Kaseya with assigned CVE-2021-30116 before the attack started. The DIVD report states that Kaseya put in the maximum effort to fix the vulnerability, nevertheless, they were beaten by the attackers [15].

The critical security vulnerability CVE-2021-30116 was caused by insufficient use of authentication mechanisms. According to security researchers at Huntress Labs, attackers apparently exploited SQL injection to gain access, and in combination with bypassing the authentication mechanisms and remote file uploading on the server, the systems were compromised. This was also confirmed by experts from TruSec [16] [17].

According to Kaspersky researchers, the exploit worked by deploying a malicious dropper via a PowerShell script. This script disables Microsoft Defender functions and then uses the certutil.exe utility to decode a malicious executable file (agent.exe) that downloads an older version of Microsoft Defender along with the REvil ransomware packed in a malicious library.

This library is then loaded by the legitimate tool MsMpEng.exe by utilizing the DLL side-loading technique.

The Salsa20 stream cipher, of Professor Daniel Bernstein of the University of Illinoa at Chicago, was used to encrypt the files. The security of stream ciphers depends on the method of generating encryption keys, while for the used Salsa20, the key was generated by an asymmetric algorithm based on elliptical curves [18].

The right way to generate the encryption key will ensure that the cipher becomes virtually indecipherable in real time, provided that the attackers have not made a mistake and have not left additional data written in the memory of the compromised system. For those interested in the issue of stream ciphers, it is recommended to see the chapter of stream ciphers in the textbook by William Stallings [19]. For technical details of the Salsa20 cipher, it is recommended to visit the following website http://www.crypto-it.net/eng/symmetric/salsa20.html.

Current state of the investigation

Kaseya CEO Fred Voccola has not specified at which stage the negotiations with a criminal group can currently be found. Based on experience with similar cases such as the Darkside group, the payment of a ransom and subsequent attempts to track down the perpetrators cannot be excluded. The Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) are also involved in this case [20].

The number of other possible victims was reduced relatively quickly, as according to Palo Alto Networks, the number of publicly available vulnerable Kaseya VSAs dropped from 1,500 to less than 60, already 6 days after the attack, indicating a good cooperation of several CSIRTs with Kaseya [21].

Even a few days after the attack, several other threat actors have been trying to capitalize on the chaos triggered by REvil [22].

Other actors involved

Malwarebytes Threat Intelligence security researchers warn against a malicious phishing campaign disguised as Microsoft, in which, by clicking on the link, the SecurityUpdates.exe file is supposed to be downloaded by the user. However, once launched, the security update will not be installed, but the Cobalt Strike payloads will be downloaded, allowing the attacker to gain a remote access to the victim’s computer.

This campaign targets VSA Detection Tools, officially released by Kaseya, used to verify the system if it contains indicators of compromise [23].

This free riding is a phenomenon also known from the attacks on Colonial Pipeline when in June 2021, the ransomware attack was accompanied by a phishing campaign aimed at placing the Cobalt Strike penetration tool in order to compromise the victim’s systems.

Security researchers from Cisco Talos Incident Response (CTIR) report that up to 66 % of ransomware attacks in the last quarter of 2020 were accompanied by a phishing campaign [24].

Taking measures

Kaseya VSA is provided in both cloud and on-premise versions. Immediately, after receiving reports from victims, the cloud version was shut down and the situation was treated separately with individual on-premise customers. According to Kasey, no customers of the cloud solution were among the victims.

Kaseya has taken a very uncompromising approach to incident handling, placing the Kaseya VSA cloud version under Cloudflare protection along with the FireEye software and security supervision. These steps have also been admirably taken in case of on-premise customers [25].

In principle, there are only three possible defensive strategies against ransomware attacks. The first one is to keep your system and software in the latest versions and regularly monitor the manufacturers’ sites. The second one is to minimize the attack surface by removing unused applications and outdated machines.

The third strategy and at the same time a necessary measure covering a wide range of risks are backups of all data in a way that will not allow their deletion from the infected workstation. The best solution for prudent users is the existence of offline backups.

Administrators and users are encouraged to use VSA Detection Tools to detect the presence of IoC available at:

https://kaseya.app.box.com/s/0ysvgss7w48nxh8k1xt7fqhbcjxhas40

It is also recommended that administrators enable two-factor authentication wherever possible.

Administrators are advised to update affected systems to version 9.5.7a [26] without delay.