Incident Response Blog: REvil Ransomware Campaign Targeting Kaseya VSA Customers

On Friday, 2 July, CTA members became aware of a ransomware campaign targeting Kaseya’s VSA product. VSA is used by Managed Service Providers (MSPs) to monitor and manage information technology for their clients, provide automation, and assist with software patch management. In this incident, an affiliate of REvil leveraged a zero-day vulnerability in VSA to bypass authentication and run arbitrary command execution, deploying ransomware to endpoints via a malicious update.

CTA members note that they are treating this as two separate events: 1) a zero-day attack against MSPs using Kaseya’s VSA product and 2) a service supply chain attack that leverages Kaseya’s VSA platform to get access to the ransomware victims. As of yet, there is no evidence that Kaseya’s systems have been compromised or that the actors used Kaseya to send the malicious updates to the affected MSPs.

CTA members are supporting customers in their response to these ransomware incidents. CTA members are sharing information and analysis on this incident via our Early Sharing program and through analyst-to-analyst discussions, ensuring that response efforts are aligned with the most up-to-date understanding of this incident. CTA will be collating relevant threat reports, blog posts, and advice around protections and mitigations from our members in order to support other organizations in responding to this incident. As new materials and insights are released, we will add them to this blog post.

Alien Labs

• Ways to prevent ransomware attacks: how to avoid becoming a victim
• REvil’s new Linux version

Anomali

• Anomali Cyber Watch: Thousands attacked as REvil ransomware hijacks Kaseya VSA, Leaked Babuk Locker Ransomware Builder Used in New Attacks and More

Avast

• What to do about Kaseya and PrintNightmare vulnerabilities

Check Point

• “Kaseya Attack”: Over 1000 organizations globally attacked on Fourth of July weekend, biggest supply chain attack since Sunburst
• Kaseya, what this ransomware attack fallout means
• The case of Kaseya’s $70 million ransom – Get The Latest Info
• The global ransomware supply chain attack that you need to know about
• How One IT Firm Successfully Beat Kaseya Ransomware

Cisco Talos

• Everything you need to know abou the Kaseya situation – Talos Takes Ep #60
• REvil ransomware actors attack Kaseya in supply chain attack

Telefónica ElevenPaths 

• What on Earth Is Going On With Ransomware And Why We Won’t Stop it Any Time Soon

Fortinet

• DLL Side-Loading Technique used in the recent Kayseya Ransomware Attack
• New Supply Chain Ransomware Attack Targets Kaseya Platform

McAfee

• How to Proactively Increase Your Protection Against Ransomware with Threat Intelligence | McAfee Blogs

Morphisec

• Real-time Prevention of the Kaseya VSA Supply Chain REVIL Ransomware Attack
• Security News In Review: REvil Launches Supply Chaing Ransomware Attack

Palo Alto Networks

• Diagnosing the Ransomware Deployment Protocol
• Understanding REvil: The Ransomware Gang Behind the Kaseya Attack
• Threat Brief: Kaseya VSA Ransomware Attacks
• When Should You Protect Against Ransomware? Now, Before it Hits You.

Panda Security

• The biggest ransomware attack ever paralyzed thousands of businesses
• A new wave of ransomware attack hits up to 1,500 businesses worldwide

Rapid7

• Managed Service Providers Used in Coordinated, Mass Ransomware Attack Impacting Hundreds of Companies

SecurityScorecard

• Agent REvil Unveiled in Kaseya VSA Ransomware Attack

Sophos

• Kaseya breach, and more Podcast
• Independence Day: REvil uses supply chain exploit to attack hundreds of businesses
• Kaseya ransomware attackers say: “Pay $70 million and we’ll set everyone free”
• Kaseya VSA supply chain ransomware attack
• What to expect when you’ve been hit with REvil ransomware

Symantec Broadcom

• Kaseya Ransomware Supply Chain Attack: What You Need to Know
• Threat Alert: Kaseya VSA Supply Chain Sodinokibi Ransomware