Skip to content
You are here: Home >> Blog >> Cybersecurity >> REvil ransomware attackers hit Kaseya

REvil ransomware attackers hit Kaseya

NOTE: This article was updated on July 9, 20:20 BST. Updated timeline and added phishing campaign details.

NOTE: This article was updated on July 13, 16:00 BST. Updated timeline.

The software vendor Kaseya that provides IT management software used by companies globally has been hit with a $70mn ransom demand in return for a decryption key after being attacked by REvil. Read on to learn the basics of the attack and a summary of the response timeline.

About Kaseya

Kaseya claims to provide ‘complete, automated IT management software for MSPs and IT Teams’ – meaning that many business own IT processes rely on Kaseya’s software. According to their website, it allows for management of IT security, software patches, backup and more. Over 1000 business that use their software may have been affected.

About the attack

This is essentially a supply chain attack. Kaseya, on July 2 claimed that less than 40 of their customers were affected. However, said customers use Kaseya software to provide services to other businesses, which is why the actual number of affected companies is believed to be much higher.

Impact

One of the major victims of the attack was the Swedish supermarket chain Coop, which had to close about 500 of its 800 stores, according to the BBC. The supermarket was not actually a target, but as Kaseya is indirectly used in their IT systems (provided by one of Coop’s IT suppliers) the attack caused the business severe disruption.

Another major aspect of the attack is timing. It was noticed late last Friday – right before US Independence Day celebrations where a long weekend was taking place.

Read the Reuters report here: https://www.reuters.com/technology/hackers-demand-70-million-liberate-data-held-by-companies-hit-mass-cyberattack-2021-07-05/

Update: Scammers are now using the news to target affected companies, sending fraudulent phone calls and emails posing as Kaseya and their associates. Kaseya asks that you must NOT click links or attachments in any such emails.

About the attackers

REvil are said to be behind the attack. This same group is also responsible for the attack on US meat producer JBS just over a month ago. The name is short for Ransomware Evil, but they also go by the name Sodinokibi. It is likely that they are based in Russia as they appear to avoid targeting Russian-based companies or affiliated nations. This has lead to increased political tensions between the US and Russia with the US asking Putin to take action to stop such attacks.

The group, described as a ransomware-as-a-service group will often post stolen data on their Happy Blog accessible via the dark web. Their activities have become increasingly disruptive recently.

Kaseya’s response

Below is a summary of the official Kaseya reponse timeline (times in EDT):

UP-TO-DATE AS OF JULY 9 15:20 EDT – Note that Kaseya edits, changes and removes some details as time progresses.

  • July 2 4PM – Attack under investigation, SaaS servers shutdown
  • July 2 10PM – CEO of company claims the affect was relatively minimal and that ‘teams executed that [response] plan perfectly today’
  • July 3 10:30AM – Update posted suggesting all on-premise Kaseya VSA servers should stay offline, and that SaaS servers also remained offline
  • July 3 1:30PM – Engaged with FBI. Engaging with affected customers, industry experts etc.
  • July 3 9PM – Detection tool announced. Suggest customers begin recovery. CEO commits to giving interview on ABC’s Good Morning America. Engaged with FireEye security firm
  • July 4 10AM – Staged return of SaaS, with additional security measures and functionality restrictions. On-premise to remain offline.
  • July 4 5:30PM – Focus shifted to recovery. Legacy functionality to be removed
  • July 4 11PM – Executives decided more time is needed before restoring datacentres.
  • July 5 1PM, 6:30PM – Again felt more time needed. Patches started to be distributed.
  • July 5 9:30PM – Estimate provided for bringing SaaS servers online, on-premise patch to release shortly after
  • July 6 12PM – Delayed bringing SaaS servers online by 2 hours. Details of better security measures announced
  • July 6 7:30PM – SaaS deployment began at 4PM but yet to be online.
  • July 6 10PM – An issue was discovered during VSA SaaS deployment. The rollout has been delayed.
  • July 7 8AM – The issue has NOT been resolved.
  • July 7 12PM – An announcement regarding a runbook of changes for on-premise customers to make. SaaS issue to be fixed by the evening of July 8.
  • July 7 3PM – More details on the runbook.
  • July 7 7PM – Resetting timelines for deployment. Apology for delay.
  • July 7 9:45PM – Runbook published.
  • July 8 1:30PM – Patch announced for July 11 4PM EDT. Runbooks updated.
  • July 8 5PM – Video messages from CEO and CTO.
  • July 9 9AM – Message regarding phishing campaign. Emails to customers will no longer contain any links/attachments.
  • July 9 12PM – Phishing reminder. Warning of fraudulent phone calls.
  • July 10 9:30AM – On-track with patches (July 11 target)
  • July 10 2PM – Largely a repeat of previous update, announcement of video message from EVP.
  • July 10 3:30PM – Video uploaded
  • July 11 10:30AM – Handbook updated.
  • July 11 12:15PM – New video message.
  • July 11 4:30PM – Patch notes for VSA released. SaaS infrastructure restoration started. On-premise patch released.
  • July 11 10PM – 60% SaaS customers online. Providing support. Deployment on-track
  • July 12 12:15PM – Unplanned maintenance at 12:00 PM to 2:00 PM EDT to take place to address performance issues, including server restart. 20 min downtime expected
  • July 12 3:30PM – Maintenance complete, all instances live. Performance issues resolved.

A dangerous trend

Recently, cybersecurity attacks such as these have become bigger, more ambitious and more prominent. This has led to increased awareness of the importance of cybersecurity measures, as well as political tensions, particularly against Russia and China. It is one of the key concerns for business and government leaders as they seek to protect valuable information from hackers.

Tags: