Kaseya VSA ransomware attack

From HandWiki
Short description: July 2021 ransomware attack


On 2 July 2021, about 60 managed service providers (MSPs) and their customers became victims of a ransomware attack perpetrated by the REvil group,[1][2] causing downtime for over 1,000 companies.[3][4] REvil carried out the attack by exploiting a vulnerability in VSA (Virtual System Administrator), a remote monitoring and management software package developed by Kaseya.[5] This was a form of supply chain attack.[6][7] REvil demanded about 70 million USD in Bitcoin as a ransom. On 23 July 2021, Kaseya announced that it had received a universal decryptor tool from a "trusted third party", and it helped customers restore their data. Kaseya said it did not pay the ransom. Two suspects were identified and one sentenced.[8][9]

Timeline and impact

Vulnerabilities

On 23 March 2021, Dutch Institute for Vulnerability Disclosure (DIVD) researcher Wietse Boonstra found six zero-day vulnerabilities in Kaseya VSA (Virtual Systems Administrator), and found another on 2 April. The DIVD contacted Kaseya on 6 April and worked together with company experts to resolve four of the seven reported vulnerabilities. The DIVD later wrote a blog post about finding the zero-days.[10]

Attack and response

Despite the advance warning from DIVD, Kaseya did not patch all the reported bugs before they were exploited by REvil to deploy ransomware.[1][11] An authentication bypass vulnerability in the software allowed attackers to compromise VSA on 2 July and distribute a malicious payload through hosts managed by the software,[12] amplifying the reach of the attack.[13] In response, the company shut down its VSA cloud and SaaS servers and issued a security advisory to customers, including those with on-premises deployments of VSA.[14]

Initial reports of companies affected by the incident included Norwegian financial software developer Visma, who manages some systems for Swedish supermarket chain Coop.[15] The supermarket chain had to close down its 800 stores for almost a week, some in small villages without any other food shop. They did not pay ransom, but rebuilt their systems from scratch after waiting for an update from Kaseya.[16]

The REvil ransomware gang officially took credit for the attack and claimed to have encrypted more than one million systems during the incident. On 5 July 2021, REvil announced that they would release a universal decryptor, which would unlock all affected systems, in exchange for a 70 million USD ransom payment paid in Bitcoin.[17][18] Also on 5 July, Kaseya said that between 800 and 1,500 downstream businesses were impacted in the attack.[19] Along with Coop, impacted organizations included schools in New Zealand, companies in Germany and the United States,[20] and a town in Maryland.[21]

On 4 July 2021, the U.S. Deputy National Security Advisor for Cyber and Emerging Technology, Anne Neuberger, stated that the U.S. Federal Bureau of Investigation (FBI) and Cybersecurity and Infrastructure Security Agency (CISA) were providing assistance to Kaseya and impacted customers.[22] After a 9 July 2021 phone call between United States president Joe Biden and Russian president Vladimir Putin, Biden told the press, "I made it very clear to him that the United States expects when a ransomware operation is coming from his soil even though it's not sponsored by the state, we expect them to act if we give them enough information to act on who that is." Biden later added that the United States would take the group's servers down if Putin did not.[23][24] CISA released incident response guidance for affected customers on 12 July 2021.[25]

On 13 July 2021, REvil websites and other infrastructure vanished from the internet,[26] although they later returned.

Recovery

On 23 July, Kaseya announced it had received a universal decryptor key for the REvil-encrypted files from an unnamed "trusted third party" and was helping victims restore their files.[27] Kaseya worked with Emsisoft to create a decryption tool for customers using the key.[28] Kaseya said that it did not pay the ransom.[29] In September 2021, the Washington Post reported that the master key came from the FBI, which had secretly obtained the key earlier.[28]

On 8 October 2021, Ukrainian national Yaroslav Vasinskyi was arrested in Poland in connection with the ransomware attack, pending extradition to the United States.[8] On 8 November 2021, the United States Department of Justice unsealed indictments against Yaroslav Vasinskyi, who was still in Polish custody, and another suspect — Russian national Yevgeniy Polyanin. Vasinskyi was charged with conducting ransomware attacks against multiple victims including Kaseya, facing a maximum sentence of 115 years in prison.[8][30] Polyanin was charged with conducting ransomware attacks against multiple victims including Texas businesses and government entities, facing a maximum sentence of 145 years in prison.[8] In addition, the United States seized over $6 million in ransomware proceeds and collaborated with international law enforcement agencies and private cybersecurity firms to disrupt REvil’s operations.[31]

On 3 March 2022, Yaroslav Vasinskyi was extradited to the United States and arraigned in Texas a few days later.[30] On 1 May 2024, Yaroslav Vasinskyi was sentenced to 13 years and seven months in prison and ordered to pay over $16 million in restitution for "his role in conducting over 2,500 ransomware attacks and demanding over $700 million in ransom payments".[9] As of 23 June 2024, Yevgeniy Polyanin was still wanted by the FBI and was believed to be living in Russia.[32]

Context

In 2018, CISA issued a public alert about attackers targeting managed service providers (MSPs) as a way to infiltrate their networks and the networks of their customers.[33] Former Kaseya employees said that they had raised concerns about company security practices between 2017 and 2020, and that there had been smaller ransomware attacks involving VSA in 2018 and 2019.[34][35]

This attack happened a few months after the May 2021 Colonial Pipeline ransomware attack.[36] It has been compared to the 2020 United States federal government data breach, which involved a supply chain attack on SolarWinds software.[6]

References

  1. 1.0 1.1 "Une cyberattaque contre une société américaine menace une multitude d'entreprises" (in fr). Le Monde. 3 July 2021. https://www.lemonde.fr/pixels/article/2021/07/03/une-cyberattaque-etendue-contre-une-entreprise-americaine-menace-une-multitude-d-entreprises_6086896_4408996.html. 
  2. Scroxton, Alex (6 July 2021). "About 60 Kaseya customers hit by REvil" (in en). https://www.computerweekly.com/news/252503600/About-60-Kaseya-customers-hit-by-REvil. 
  3. Lily Hay Newman (2021-07-04). "How REvil Ransomware Took Out Thousands of Business at Once". Wired. https://www.wired.com/story/revil-ransomware-supply-chain-technique/. Retrieved 2021-11-12. 
  4. McMillan, Robert (2021-07-04). "Ransomware Attack Affecting Likely Thousands of Targets Drags On" (in en-US). Wall Street Journal. ISSN 0099-9660. https://www.wsj.com/articles/ransomware-group-behind-meat-supply-attack-threatens-hundreds-of-new-targets-11625285071. 
  5. Osborne, Charlie (2021-07-23). "The Kaseya ransomware attack: Everything we know so far" (in en-US). https://www.zdnet.com/article/updated-kaseya-ransomware-attack-faq-what-we-know-now/. 
  6. 6.0 6.1 Ghanbari, Hadi; Koskinen, Kari; Wei, Yijuan (2024-11-15). "From SolarWinds to Kaseya: The rise of supply chain attacks in a digital world" (in en). Journal of Information Technology Teaching Cases. doi:10.1177/20438869241299823. ISSN 2043-8869. https://journals.sagepub.com/doi/10.1177/20438869241299823. 
  7. Barrett, Brian. "A New Kind of Ransomware Tsunami Hits Hundreds of Companies" (in en-US). Wired. ISSN 1059-1028. https://www.wired.com/story/kaseya-supply-chain-ransomware-attack-msps/. 
  8. 8.0 8.1 8.2 8.3 "Ukrainian Arrested and Charged with Ransomware Attack on Kaseya". United States Department of Justice. November 8, 2021. https://www.justice.gov/opa/pr/ukrainian-arrested-and-charged-ransomware-attack-kaseya. 
  9. 9.0 9.1 "Sodinokibi/REvil Affiliate Sentenced for Role in $700M Ransomware Scheme" (in en). Office of Public Affairs, United States Department of Justice. 2024-05-01. https://www.justice.gov/opa/pr/sodinokibirevil-affiliate-sentenced-role-700m-ransomware-scheme. 
  10. "CASE: KASEYA". 2 December 2021. https://www.divd.nl/newsroom/articles/case-kaseya/. 
  11. "The Unfixed Flaw at the Heart of REvil's Ransomware Spree". Wired. July 8, 2021. https://www.wired.com/story/revil-ransomware-kaseya-flaw-fix-disclosure-april/. Retrieved April 7, 2022. 
  12. Hammond, John. "Rapid Response: Mass MSP Ransomware Incident" (in en). https://www.huntress.com/blog/rapid-response-kaseya-vsa-mass-msp-ransomware-incident#update-12. 
  13. Gerrit De Vynck; Aaron Gregg; Rachel Lerman (July 6, 2021). "Ransomware attack struck between 800 and 1,500 businesses, says company at center of hack—Kaseya's software touches hundreds of thousands of firms, but company says vast majority were unaffected". The Washington Post. https://www.washingtonpost.com/business/2021/07/06/kaseya-ransomware-attack-victims/. Retrieved July 6, 2021. 
  14. Giles, Martin (3 July 2021). "A New Wave Of Ransomware Has Been Sparked By A Cyberattack On Tech Provider Kaseya". https://www.forbes.com/sites/martingiles/2021/07/03/ransomware-attacks-sparked-by-cyberattack-on-kaseya/. 
  15. Tidy, Joe (3 July 2021). "Swedish Coop supermarkets shut due to US ransomware cyber-attack". BBC News. https://www.bbc.co.uk/news/technology-57707530. 
  16. Greig, Jonathan (July 26, 2021). "Kaseya denies paying ransom for decryptor, refuses comment on NDA". ZDNet. https://www.zdnet.com/article/kaseya-denies-paying-ransom-for-decryptor-refuses-comment-on-nda/. 
  17. "Gang behind huge cyber-attack demands $70m in Bitcoin" (in en-GB). 2021-07-05. https://www.bbc.com/news/technology-57719820. 
  18. Tung, Liam (5 July 2021). "Kaseya ransomware attack: US launches investigation as gang demands giant $70 million payment". https://www.zdnet.com/article/kaseya-ransomware-attack-us-launches-investigation-as-gang-demands-giant-70-million-payment/. 
  19. Satter, Raphael (5 July 2021). "Up to 1,500 businesses affected by ransomware attack, U.S. firm's CEO says". Reuters. https://www.reuters.com/technology/hackers-demand-70-million-liberate-data-held-by-companies-hit-mass-cyberattack-2021-07-05/. 
  20. "Biden says ransomware attack caused 'minimal damage' to U.S. companies". Reuters. July 6, 2021. https://www.reuters.com/technology/florida-it-firm-says-ransomware-attack-didnt-harm-critical-infrastructure-2021-07-06/. 
  21. "‘Shut down everything’: Global ransomware attack takes a small Maryland town offline" (in en-US). The Washington Post. 2021-07-08. ISSN 0190-8286. https://www.washingtonpost.com/technology/2021/07/08/kaseya-ransomware-attack-leonardtown-maryland/. 
  22. "Statement by Deputy National Security Advisor for Cyber and Emerging Technology Anne Neuberger on Reporting Kaseya Compromises". July 4, 2021. https://www.presidency.ucsb.edu/documents/statement-deputy-national-security-advisor-for-cyber-and-emerging-technology-anne. 
  23. "Biden tells Putin Russia must crack down on cybercriminals". July 9, 2021. https://apnews.com/article/joe-biden-europe-technology-government-and-politics-russia-df7ef73f02bcba61ad6e628aa95a9f84. 
  24. Sanger, David E. (July 13, 2021). "Russia's most aggressive ransomware group disappeared. It's unclear who disabled them.". The New York Times. https://www.nytimes.com/2021/07/13/us/politics/russia-hacking-ransomware-revil.html. 
  25. "Kaseya Ransomware Attack: Guidance for Affected MSPs and their Customers" (in en). 2021-07-12. https://www.cisa.gov/news-events/news/kaseya-ransomware-attack-guidance-affected-msps-and-their-customers. 
  26. Fung, Brian; Cohen, Zachary; Sands, Geneva (July 13, 2021). "Ransomware gang that hit meat supplier mysteriously vanishes from the internet". https://www.cnn.com/2021/07/13/tech/revil-ransomware-disappears/index.html. 
  27. "Ransomware key to unlock customer data from REvil attack". BBC News. BBC. July 23, 2021. https://www.bbc.com/news/technology-57946117. 
  28. 28.0 28.1 "FBI held back ransomware decryption key from businesses to run operation targeting hackers" (in en-US). The Washington Post. 2021-09-21. ISSN 0190-8286. https://www.washingtonpost.com/national-security/ransomware-fbi-revil-decryption-key/2021/09/21/4a9417d0-f15f-11eb-a452-4da5fe48582d_story.html. 
  29. Lerman, Rachel (2021-07-22). "Company hit by massive ransomware attack obtains key to unlock customer files" (in en-US). The Washington Post. ISSN 0190-8286. https://www.washingtonpost.com/technology/2021/07/22/kaseya-ransomware-revil-key/. 
  30. 30.0 30.1 "Sodinokibi/REvil Ransomware Defendant Extradited to United States and Arraigned in Texas" (in en). Office of Public Affairs, United States Department of Justice. 2022-03-09. https://www.justice.gov/opa/pr/sodinokibirevil-ransomware-defendant-extradited-united-states-and-arraigned-texas. 
  31. "Justice Department seizes $6 million as part of crackdown on hackers linked to Kaseya attack". 8 November 2021. https://thehill.com/policy/cybersecurity/580585-justice-department-seizes-million-as-part-of-crackdown-on-hackers-linked/. 
  32. "YEVGENIY IGOREVICH POLYANIN". FBI. 2024-06-23. https://www.fbi.gov/wanted/cyber/yevgeniy-igorevich-polyanin. 
  33. "Advanced Persistent Threat Activity Exploiting Managed Service Providers" (in en). 2020-06-30. https://www.cisa.gov/news-events/alerts/2018/10/03/advanced-persistent-threat-activity-exploiting-managed-service-providers. 
  34. "Kaseya Failed to Address Security Before Hack, Ex-Employees Say". Bloomberg. July 10, 2021. https://www.bloomberg.com/news/articles/2021-07-10/kaseya-failed-to-address-security-before-hack-ex-employees-say. 
  35. O'Brien, Matt (July 13, 2021). "Firm hacked to spread ransomware had previous security flaws". Associated Press. https://apnews.com/article/europe-business-technology-hacking-db3e5f615629bb225259efaf7fdf378c. 
  36. Bhunia, Suman; Blackert, Matthew; Deal, Henry; DePero, Andrew; Patra, Amar (January 2025). Rifà-Pous, Helena. ed. "Analyzing the 2021 Kaseya Ransomware Attack: Combined Spearphishing Through SonicWall SSLVPN Vulnerability" (in en). IET Information Security 2025 (1). doi:10.1049/ise2/1655307. ISSN 1751-8709. https://ietresearch.onlinelibrary.wiley.com/doi/10.1049/ise2/1655307. 

Template:Hacking in the 2020s



Retrieved from "https://handwiki.org/wiki/index.php?title=Kaseya_VSA_ransomware_attack&oldid=4409480"