Proprietary 2021-07-02 · 9 days ·Ransomware, Data Encryption, Service Disruption

Kaseya VSA delivered REvil ransomware

REvil exploited Kaseya VSA on-premises servers on July 2, 2021 and used the remote monitoring platform to push ransomware through managed service providers into downstream customer networks.

Story

Kaseya VSA gave managed service providers central control over customer fleets. They used it to push scripts, deploy software, and administer many networks from one console. On July 2, 2021, REvil used that management plane to distribute ransomware.

The attackers exploited vulnerabilities in on-premises VSA servers, then used normal VSA agent execution paths to push a payload to managed endpoints. The chain used agent.crt as encoded content, decoded it into agent.exe, dropped a legitimate Microsoft Defender executable, and sideloaded mpsvc.dll as the REvil encryptor. To endpoints, the activity arrived through the tool already allowed to manage them.

Kaseya reported fewer than 60 directly affected customers, but many were MSPs, so the attack reached downstream customer networks. CISA and the FBI urged MSPs and downstream customers to shut down VSA servers, use Kaseya's detection tooling, enforce MFA, restrict remote monitoring and management access, and restore carefully from clean backups.

REvil publicly claimed responsibility and demanded $70 million in bitcoin for a universal decryptor. Individual victims reportedly saw demands from tens of thousands to millions of dollars. Kaseya restored SaaS service and released on-premises patches on July 11.

Affected Artifacts

Kaseya VSA

· kaseya.com · Binary Archive

Observed: 2021-07-02 to 2021-07-11
Compromised Versions: 9.5.7.2994
Fixed: Not listed
Hashes: sha256:d55f983c994caa160ec63a59f6b4250fe67fb3e8c43a388aec60a4a6978e9f1e

sha256:e2a24ab94f865caeacdf2c3ad015f31f23008ac6db8312c2cbfb32e4a5466ea2

sha256:8dd620d9aeb35960bb766458c8890ede987c33d239cf730f93fe49d90ae759dd

+4 more
Evidence: distribution: update.kaseya.net/vsa/agent/hotfix, distribution: vsaupdate.kaseya.net/vsa/agent.crt, distribution: vsaupdate.kaseya.net/vsa/agent.exe, mirror: community.sophos.com/sophos-labs/b/blog/posts/inside-a-revil-ransomware-attack , +18 more

REvil is also known as Sodinokibi.
Kaseya said fewer than 60 customers were directly affected; public summaries place downstream organizational impact around 800 to 1,500.
Kaseya and CISA said SaaS servers were shut down as a precaution, with no evidence that SaaS customers were compromised.
Kaseya restored SaaS service and released on-premises VSA patches on July 11, 2021.

Incident Context

Motive: Financial Gain
Attribution: Group
Cause: Exploit
Transitive: No
Actor: REvil
User Impact: 1500

External References

CISA Advisory AA21-201A: Ransomware Awareness for Holidays and Weekendscisa.gov
CISA-FBI Guidance for MSPs and their Customers Affected by the Kaseya VSA Supply-Chain Ransomware Attackcisa.gov
Kaseya Ransomware Attack - Guidance for Affected MSPs and their Customerscisa.gov
Kaseya VSA Security Incidenthelpdesk.kaseya.com
Kaseya Supply Chain Attack - What We Knowmandiant.com
Kaseya VSA Supply Chain Attack - What We Know So Farhuntress.com
Rapid Response - Kaseya VSA Mass MSP Ransomware Incidenthuntress.com
REvil gang asks for $70 million to decrypt systems locked in Kaseya attacktherecord.media
Kaseya VSA Ransomware Attack Explainedpurplesec.us

Source record: proprietary/kaseya/meta.yaml