Software Vendor Kaseya Suffers Massive Ransomware Attack
- By Dawna M. Roberts
- Published: Jul 15, 2021
- Last Updated: Mar 18, 2022
The notorious ransomware gang REvil strikes again, this time at IT management software vendor Kaseya. The gang encrypted data and demanded $70 million to unlock the files.
What Happened?
On Friday, IT management software vendor Kaseya experienced a ransomware attack. The bad actors crippled its remote monitoring system, VSA, and demanded the largest ever ransom of $70 million. As a result, Kaseya contacted its clients and shut down its on-premises servers for 24-48 hours until it was resolved.
Kaseya VSA software is a remote management platform for more than 36,000 managed service provider (MSP) customers across the globe.
REvil ransomware gang claimed responsibility when they posted a notice on their "Happy Blog" about the attack claiming that they had infected millions of accounts and demanded a $70 million ransom (in Bitcoin) to unlock them all.
The message reads:
"On Friday, we launched an attack on MSP providers. More than a million systems were infected. If anyone wants to negotiate about universal decryptor - our price is $70 million in bitcoins, and we will publish publicly decryptor that decrypts files of all victims, so everyone will be able to recover from attack in less than an hour. If you are interested in such deal - contact us."
Spiraling Out of Control
The attack is being called the latest "supply chain attack" because it spirals out to all of Kaseya's MSP customers. Many of whom, REvil has already contacted and demanded a ransom.
According to Data Breach Today, "It means damage from the clever and devastating supply-chain attack against Kaseya will likely grow in the coming days at an intense scale. The REvil administrators, or one of its affiliates, exploited several vulnerabilities in Kaseya's VSA remote management software, which is used by managed service providers, to deploy ransomware on the systems of at least hundreds if not thousands of organizations."
The attack was accomplished by REvil substituting ransomware for a legitimate software update rolled out to customers on Friday.
According to Bleeping Computer, REvil has contacted some providers demanding $5 million or $45,000 per encrypted file to unlock the data.
Patching the Bug
Ironically, Kaseya was in the process of patching the same vulnerability that REvil exploited to infect their system. Dutch security researchers at the Dutch Institute for Vulnerability Disclosure had disclosed to Kaseya that they found zero-day exploits and were in the process of patching them when the attack hit. Chairman for the Dutch Institute, Victor Gevers, said, "Unfortunately, we were beaten by REvil in the final sprint, as they could exploit the vulnerabilities before customers could even patch."
Gevers commended Kaseya by saying, "Also, partial patches were shared with us to validate their effectiveness. During the entire process, Kaseya has shown that they were willing to put in the maximum effort and initiative into this case both to get this issue fixed and their customers patched."
Who is Kaseya?
Kaseya was founded in 2000 and is a Dublin-based company with headquarters in Miami. The company sells remote management software to hundreds of managed service providers.
The Aftermath
President Biden has launched a full-scale investigation into the attack and has prioritized bringing the Russia-based gang to justice.
Rumors spread quickly that the attack had "supply chain" written all over it, with REvil gaining access to Kaseya's infrastructure, but that was not the case. Instead, attackers used a zero-day vulnerability (CVE-2021-30116) to push ransomware to the company's customers.
Kaseya commented that "The attackers were able to exploit zero-day vulnerabilities in the VSA product to bypass authentication and run arbitrary command execution." They assured the public and investigators that "This allowed the attackers to leverage the standard VSA product functionality to deploy ransomware to endpoints. There is no evidence that Kaseya's VSA codebase has been maliciously modified."
