REvil Ransomware Attack; Demand and More

More commentary is coming in on the REvil ransomware attack. Our earlier piece gave the top-down view; now the details are starting to get out; we’re updating details and passing through the comments of some of the best security and IT infrastructure firms in the world. 

Demands (6 July)

REvil’s demands are starting to leak out today; so far, the total has is between $50 and $70 million. The REvil has claimed that a million machines were compromised.

Jack Cable of the cybersecurity-focused Krebs Stamos Group pointed out one of the gang’s affiliates said he could sell a “universal decryptor” for all the victims for $50 million. KSG has strong ties to the US Government, with co-founder Chris Krebs serving as first Director of the Cybersecurity and Infrastructure Security Agency.

The Reuters news agency said they had been able to log on to the payment portal and chat with an operator who said the price was unchanged at $70 million, “but we are always ready to negotiate.”

Multiple sources have said that REvil is demanding that victim companies pay $45,000 in the cryptocurrency Monero to gain back access to their systems, warning that the payment will double each week they fail to pay up.

Restoration could take weeks – Victims (6 July)

Mark Loman, director of engineering at cybersecurity firm Sophos said, “Depending on how big your business is and if you have backups, it can take weeks before you have restored everything, and as the supermarkets in Sweden have been impacted, they can lose a lot of food and revenue.”

New Zealand said on Monday that 11 schools and several kindergartens were affected by the ransomware attack.

“Of the 11 schools (out of roughly 2,500) we initially identified as possibly having been impacted by this global ransomware attack:

  • Two have confirmed they are not impacted as they have not used this software for some time
  • Two have confirmed they use the software and have been impacted by ransomware. They have taken steps to contain the issue which may have a short-term operational impact. There is no evidence of data loss at this stage
  • Seven also use the software but have no evidence of impact and have shut down the impacted services as a precautionary measure.”

CyberArk (6 July)

Lavi Lazarovitz, Sr. Director of Cyber Research, CyberArk Labs updated us on this morning on their read on the situation:

“The attack patterns in the compromise of the Kaseya VSA solution are reminiscent of the Cloud Hopper campaign. With Cloud Hopper, one phishing attack at one endpoint went on to impact hundreds of firms that had relationships with breached cloud providers. For one victim, the attack cycle continued for at least five years. If this attack bears any resemblance to previous examples, then we need to remember that for attackers, it’s all about capitalizing on network decentralization and connectivity. Why? Because this equates to scale…and impact. Most importantly, in the Kaseya incident, the attackers are focusing on the compromise of trusted software, trusted processes and trusted relationships. Targeting trusted services allows the threat actors to leverage this trust and the granted permissions and access. In early communications by Kaseya, the company warns of the criticality of shutting down the servers that VSA runs on, “because one of the first things the attacker does is shut off administrative access to the VSA.” Monitoring and protecting this admin, or privileged, access is critical to identifying and mitigating the risk of lateral movement and further network compromise. In the case of an MSP, controlling admin rights means attackers can gain incredible scale – likely across hundreds of the MSP’s customers. Privileged credentials continue to be the attackers’ ‘weapon of choice’ and are utilized in nearly every major targeted attack.”

Qualys (5 July)

Cloud Platform security and intelligence specialist Qualys was another respondent to our requests for commentary. Qualys services 19,000 global businesses in more than 130 countries.

“Supply chain attacks should be top of mind for all companies, including those using Managed Service Providers (MSP). It’s essential to do due diligence on who is hosting and managing your data.

While you can outsource the work, you can’t outsource the risk – almost everyone is susceptible to supply chain attacks.

Companies need to make sure they have the proper protocols and robust third-party risk assessments in place ahead of these attacks so they can respond efficiently. This way, if there is an attack, you have options for redundancies ready to be put in place, and you can pivot to an alternative solution with minimum impact on your business.”

Sophos Labs (5 July)

Sophos Labs was on to the attack early, and they provided us with a facsimile of the actual extortion notice:

Ross McKerchar, Sophos Vice President and Chief Information Security Officer said, “This is one of the farthest reaching criminal ransomware attacks that Sophos has ever seen. At this time, our evidence shows that more than 70 managed service providers were impacted, resulting in more than 350 further impacted organisations. We expect the full scope of victim organizations to be higher than what’s being reported by any individual security company. Victims span a range of worldwide locations with most in the United States, Germany and Canada, and others in Australia, the U.K. and other regions.”

Mark Loman, Sophos Director of Engineering, added to McKerchar statement, saying: “Sophos is actively investigating the attack on Kaseya, which we see as a supply chain distribution attack. The adversaries are using MSPs as their distribution method to hit as many businesses as possible, regardless of size or industry type. This is a pattern we’re starting to see as attackers are constantly changing their methods for maximum impact, whether for financial reward, stealing data credentials and other proprietary information that they could later leverage, and more. In other widescale attacks we’ve seen in the industry, such as WannaCry, the ransomware itself was the distributor – in this case, MSPs using a widely used IT management are the conduit. 

“Some successful ransomware attackers have raked in millions of dollars in ransom money, potentially allowing them to purchase highly valuable zero-day exploits. Certain exploits are usually only deemed attainable by nation-states. Where ‘nation-states’ would sparingly use them for a specific isolated attack, in the hands of cybercriminals, an exploit for a vulnerability in global platform can disrupt many businesses at once and have impact on our daily lives.

 “A day after the attack, it became more evident that an affiliate of the REvil Ransomware-as-a-Service (RaaS) leveraged a zero-day exploit that allowed it to distribute the ransomware via Kaseya’s Virtual Systems Administrator (VSA) software. Usually, this software offers a highly trusted communication channel that allows MSPs unlimited privileged access to help many businesses with their IT environments.”

Based on Sophos threat intelligence, REvil has been active in recent weeks, including in the JBS attack, and is currently the dominant ransomware gang involved in Sophos’ defensive managed threat response cases. 

Read More:REvil Ransomware Attack; Demand and More