On Friday July 2, 2021, an affiliate of the REvil ransomware-as-a-service operation delivered the REvil ransomware payload to dozens of Kaseya customers including many managed service providers (MSPs) and, through them, thousands of their customers. Victims have been issued with ransom demands based on the extent to which they were affected by the attack, with ransom demands starting at around $45,000 for small businesses and rising to $5 million for larger organizations.
The REvil gang posted on its data leak site that it would make a universal decryptor available that would decrypt files rapidly for all victims if a $70 million payment is paid in Bitcoin.
“On Friday (02.07.2021) we launched an attack on MSP providers. More than a million systems were infected. If anyone wants to negotiate about universal decryptor – our price is 70,000,000$ in BTC and we will publish publicly decryptor that decrypts files of all victims, so everyone will be able to recover from attack in less than an hour,” according to the REvil post.
This attack differs from past REvil attacks in terms of scale. The gang has not performed such an extensive attack before and some of the typical steps taken by the gang in past attacks appear to have been skipped. The gang usually exfiltrates data prior to file encryption and takes steps such as deleting Windows shadow volume copies to hamper recovery. That appears not to have happened in many if not all cases. Given the extent of the attack and sheer number of affected companies that is not surprising.
The attack appears to have been timed to coincide with the U.S. Independence Day weekend, when many businesses were due to close early, and staffing levels were greatly reduced. This is typical in ransomware attacks as it increases the chances of success. One of the previous attacks conducted by the REvil gang on the meat processing company JBS foods was similarly timed to coincide with a federal holiday – in that case, Memorial Day. This latest attack was far more extensive however and ranks as one of the largest ransomware attacks to date. Cybersecurity firm ESET reports there have been victims in at least 17 countries.
Several large MSPs are known to have been affected, including one German MSP that said several thousand of its customers had been affected. Two large Dutch MSPs were affected – VelzArt and Hoppenbrouwer Techniek – and multiple MSPs in the United States. Huntress Labs said it is tracking around 20 MSP victims, through which over 1,000 of their customers suffered file encryption.
Kaseya detected the attack quickly and took rapid action to limit the extent of the attack. Kaseya CEO Fred Voccola said only between 50 and 60 customers out of approximately 37,000 were directly affected, and only on-premises customers running their own data centers. Customers that used its cloud-based services were not affected, although the cloud services were taken offline following the attack as a precaution.
A large percentage of the affected customers were MSPs. In addition to REvil ransomware being used to encrypt their files, the ransomware code was pushed out to their customers. It is currently unclear how many MSP customers have been affected, but the total is certainly well into the 1,000s. Voccola estimates the number of MSP customers affected by the attack to be in the low thousands. Most of those victims will be small businesses that use MSPs to handle their IT needs. “Dental practices, architecture firms, plastic surgery centers, libraries, things like that,” said Voccola. The full extent of the attack is not likely to be known for several days. Kaseya has been working closely with the FBI, the U.S. Cybersecurity and Infrastructure Security Agency (CISA), and cybersecurity forensics firms to investigate the breach.
“Our security, support R&D, communications, and customer teams continue to work around the clock in all geographies through the weekend to resolve the issue and restore our customers to service,” reported Kaseya on July 4, 2021. “We are in the process of formulating a staged return to service of our SaaS server farms with restricted functionality and a higher security posture (estimated in the next 24–48 hours but that is subject to change) on a geographic basis.”
Further details have now emerged on how the REvil affiliate gained access to Kaseya’s systems to attack its customers. Kaseya’s VSA remote monitoring and management tool was compromised, and the software update mechanism was abused to push out ransomware to customers in a July 2, 2021, software update.
It is currently unclear when Kaseya’s systems were initially compromised but it is known that the attacker used an exploit for a ‘zero-day’ vulnerability. Kaseya had been made aware of several vulnerabilities by the Dutch Institute for Vulnerability Disclosure (DIVD) and was in the process of developing patches to correct those flaws. The vulnerabilities had not been made public, although CVEs had been reserved for the flaws. “Unfortunately, we were beaten by REvil in the final sprint, as they could exploit the vulnerabilities before customers could even patch,” said Victor Gevers, chairman of DIVD.
Voccola said the attack was highly sophisticated and may not have been confined to exploiting the vulnerabilities in Kaseya code. He said that when cybersecurity firm Mandiant completes its investigation, it is likely to show that the attack also involved the exploitation of vulnerabilities in third party software. “The level of sophistication here was extraordinary,” said Voccola.