Week of Monday, June 28, 2021 | Issue 25
Alexandros Kouiroukidis, Hubert Zhang, Counterintelligence and Cyber (CICYBER) Team
Date: July 2, 2021
Parties involved: REvil; Kaseya
The event: Over one thousand companies worldwide were hit with a ransomware supply chain attack by Russia-based ransomware syndicate REvil. REvil hacked the server of the Virtual System Administrator (VSA) software of Kaseya Limited, a software supplier for more than thirty thousand businesses. The attackers used an exploit that caused the VSA server to deliver the ransomware, disguised as a system update, to approximately 60 managed-service-providers (MSP). The MSPs then delivered the ransomware to roughly one thousand companies that use Kaseya’s VSA software.
The attack comes shortly after U.S. President Joe Biden pressured Russia to reign in cybercriminal activity and warned that critical infrastructures are off-limits to cyber attacks. This incident puts increased pressure on President Biden to confront Russia regarding cybercrime and will likely have a negative impact on tense US-Russia relations. The attack appears to be financially motivated, though there may be other incentives such as espionage.
The attack illustrates cybercriminals’ ability to spread malware through thousands of companies and organizations via information technology (IT) vendors and software-as-a-service (SaaS) companies, as was the case in the similar SolarWinds supply chain attack, launched by Russian state-sponsored hackers in late 2019. Given the number of affected companies, this attack could be the largest ransomware attack on record. Supply chain attacks have the potential to reach a higher volume of targets than other cyber attacks, as the supplier can deliver the malware to all its customers and client companies. However, this also has the potential of infecting more targets than the attacker can handle. Some cybersecurity experts suggest that the attack was poorly planned, as the high number of victims has overwhelmed REvil and slowed their operations. Cybercriminal groups may seek to emulate this attack by mixing ransomware and supply chain attack tactics. This would be highly concerning given the wide range of industries and organizations, many in critical infrastructure sectors, that rely on SaaS companies and IT management services.
REvil initially demanded a ransom of $70 million USD in return for the decryption of locked files but soon reduced it to $50 million USD. If paid, it would be the largest ransomware payout to date. The encrypted data may include personal and financial records as well as login credentials of affected companies’ employees and customers. If leaked online this would pose the risk of identity theft and negatively impact the reputations and consumer trust of Kaseya and affected companies.
The attack is part of REvil’s aggressive ransomware campaigns targeting critical resources and infrastructures. This attack has so far severely impacted education and grocery supplies, hitting eleven schools in New Zealand and causing five hundred Coop grocery stores in Sweden to close. Businesses that provide essential goods and services may be more likely to make ransom payments quickly to resume operations as soon as possible. REvil, its clients, and other cybercriminal groups and individuals will become emboldened if payments are made as a result of this attack. It is highly likely that ransomware attacks against critical resources and infrastructures will continue to grow in scale and frequency.
REvil utilized a zero-day exploit — an exploit or vulnerability that has not yet been publicly disclosed — to cause Kaseya’s VSA server to deliver ransomware to the MSPs and their client companies and customers. However, the exploit had been known to Kaseya before the attack. Researchers at the Dutch Institute for Vulnerability Disclosure (DIVD), which reports cyber vulnerabilities to the public, informed Kaseya of the bug weeks before the attack; they allegedly kept the exploit private out of concern that its public disclosure would invite attacks. Kaseya was in the process of developing a patch for the vulnerability when the attack occurred. This raises the possibility of a leak of confidential company information or insider threat. Zero-day exploits are regarded as near-impossible to defend against. A possible increase in insider threats colluding with ransomware groups would make zero-day ransomware attacks more common.
REvil has offered a universal decryptor for all companies in return for $50 million USD, but it is unlikely that the full payment will be made. The Federal Bureau of Investigation (FBI) and Cybersecurity and Infrastructure Security Agency (CISA) are currently investigating the incident and have offered assistance and guidelines for affected individuals and organizations. Should affected companies decide to pay separate ransoms, it will be difficult for the REvil gang to manage several bitcoin payments and go undetected by law enforcement. Roughly half of the Bitcoin ransom paid in the Colonial Pipeline ransomware attack was recovered by the U.S. FBI. If REvil can successfully receive and retain ransom payments through Bitcoin, the U.S. and the international community will need to consider actions to curb cryptocurrency-related crimes.
________________________________________________________________________ The Counterterrorism Group (CTG)
 Remarks by President Biden in Press Conference, The White House, June 2021, https://www.whitehouse.gov/briefing-room/speeches-remarks/2021/06/16/remarks-by-president-biden-in-press-conference-4/
 ‘REvil’ Cyber Attack Leaves U.S. Businesses Scrambling on July 4 Weekend, CBS SF BayArea, July 2021, https://sanfrancisco.cbslocal.com/2021/07/03/revil-cyber-attack-leaves-july-4-weekend-ransomware/
 Ransomware Hackers May Be in Over Their Heads. They May Not Even Get Paid, The Daily Beast, July 2021, https://www.thedailybeast.com/revil-ransomware-hackers-may-be-in-over-their-heads-they-may-not-even-get-paid?source=articles&via=rss
 Hackers reportedly lower ransom demand to restore data to $50M, The Hill, July 2021, https://thehill.com/policy/cybersecurity/561657-hackers-lower-ransom-demand-to-restore-data-to-50m
 The 10 Biggest Ransomware Attacks of 2021, Tourou College Illinois, June 2021, https://illinois.touro.edu/news/the-10-biggest-ransomware-attacks-of-2021.php
 Fallout continues from biggest global ransomware attack, Independent, July 2021, https://www.independent.co.uk/news/fallout-continues-from-biggest-global-ransomware-attack-russia-fbi-boston-sweden-dmitry-peskov-b1878507.html
 Dutch researchers shed new light on Kaseya vulnerabilities, SearchSecurity, July 2021, https://searchsecurity.techtarget.com/news/252503766/Dutch-researchers-shed-new-light-on-Kaseya-vulnerabilities
 FBI Statement on Kaseya Ransomware Attack, Federal Bureau of Investigation, July 2021, https://www.fbi.gov/news/pressrel/press-releases/fbi-statement-on-kaseya-ransomware-attack