The Biggest Ransomware Attack of 2021 – The Kaseya-REvil Fiasco

Introduction

Let’s just say that the fourth of July holiday weekend did not go as planned for us. We had been reporting REvil/sodinokibi for quite some time before they shocked the world with their recent ransomware attack. What is being called the “largest ransomware attack in history,” is only just the beginning. Here is the complete timeline of the attack:

We have been following REvil and reporting them since early 2019 (before it became an elite group involved in global extortion). When REviL appeared in the first half of 2019, it immediately caught attention for distributing itself through an Oracle Weblogic vulnerability and carrying out attacks on MSP providers. 

In June, the REvil ransomware group made headlines by targeting the US’s nuclear weapons contractors. Sol Oriens was targeted by the threat actors and their employees’ data was leaked online. Along with the employees’ information, business data was also stolen and leaked.

The company added that it is not aware that threat actors have stolen classified or critical security-related information belonging to its clients. However, the social security numbers of employees along with their payroll were leaked online.

The Attack Timeline

July 2, 2021

On the fourth of July weekend rumors about a supply chain attack surfaced on the internet. The Kaseya VSA RMM (Remote Monitoring Management) software was compromised using REvil. Since the software is widely used by MSPs (managed service providers), the criticality of the attack rose. Although Kaseya is most widely used in America and has around 40,000 clients, the attacks spread worldwide. Around half a dozen MSPs were affected by the attack.

The REvil ransomware gang injected a malicious code into the VSA that caused the supply chain attack which extended to MSPs and end customers. 

July 4, 2021

The ransomware group has now attacked around 50 to 60 Kaseya customers. Victims from 17 countries have been hit by the attack including the United States of America, Canada, South Africa, New Zealand, and the United Kingdom.

The FBI investigated the attack along with CISA. A VSA Detection tool was also released by Kaseya which helped MSPs determine if the RMM software in their firm had been compromised. The tool checks for IoCs (indicators of compromise) in the system.

July 5, 2021

The company itself made the announcement of the attack and advised its users to shut down their on-prem VSA servers. And while it didn’t affect their SaaS (software-as-a-service), the company still shut down its servers. The company’s CEO, Fred Voccola, told the U.S. Deputy National Security Advisor Anne Neuberger that the company was unaware of any critical infrastructure that had been hit by the ransomware.

July 6, 2021

Kaseya’s CEO revealed that around 800 to 1500 businesses had been impacted by the attack.

July 7, 2021

It was revealed that Kaseya was working with the Dutch Institute for Vulnerability Disclosure (DIVD) on patches for the vulnerabilities that REvil exploited. The company was informed of the vulnerabilities in April and was on the verge of releasing a patch.

July 8, 2021

Opportunists took advantage of the chaos and fear surrounding the Kaseya attack to send fake emails masquerading as Kaseya updates. Kaseya warned its users to not open any attachments or links until an official patch or update is released.

July 11, 2021

The patching of Kaseya’s VSA on-prem started along with its deployment to the VSA SaaS infrastructure.

July 12, 2021

The patching was in full-speed with 95% of the SaaS customers going live and the rest the following suit in the coming hours.

Stay up-to-date with the latest news, threat intel, IOCs, and updates on Kaseya-REvil with Rewterz Threat Advisories