Massive Kaseya VSA Supply Chain Attack Infects Businesses with Revil Ransomware
A new collossal supply chain attack targeted thousands of businesses through Kaseya VSA.
Update: Since the initial Kaseya ransomware attack took place, the company has secured a universal ransomware decryptor and offered it to all its impacted customers that still had their files locked.
There is some doubt regarding the source of this decryptor, which Kaseya declared was acquired from a ‘trusted third party’. Some security researchers accused Kaseya of paying the ransom to the Revil ransomware gang, but Kaseya has officially denied the allegations.
Another point of contention between Kaseya representatives and security researchers emerged regarding how the aftermath of the attack is handled. It was brought to light that affected Kaseya customers must sign a Non-Disclosure Agreement before they can receive the decryptor. The NDA prevents them from sharing any details – or the decryptor – with any others. According to specialists in the field, signing such an NDA is highly irregular and not heard of before.
Because of the NDA, some security researchers are accusing Kaseya that they are either being untruthful about the source of the decryptor or just blocking research into this type of attack, research that could help the world become better at preventing future reoccurrences of the situation. Learning from past security disasters is key for preventing similar ones in the future, but for that, the code of the decryptor should be made available to all interested parties, just as it usually is for all ransomware decryption tools which are generally public.
Another supply chain vulnerability was successfully exploited by malicious hackers in order to target thousands of businesses through the initial infected host. Today, the entry point was the Managed Service Provider (MSP) Kaseya VSA, a cloud-based platform that allows its customers to perform patch management and client monitoring.
Just like the notorious SolarWinds supply chain hack from earlier this year, the attackers used the initial breach into the service provider in order to then hack as many of its customers as possible. The Kaseya hack resulted in the infection of hundreds of businesses with Revil Ransomware by the Sodinokibi Gang.
What Happened in the Kaseya VSA Supply Chain Attack?
Kaseya offers its customers a patch management solution, VSA. The Sidinokibi attackers breached Kaseya and then infected their customers through a VSA agent.crt file dropped to the c:\kworking folder, which is still being distributed as an update called ‘Kaseya VSA Agent Hot-fix.’
Part of Kaseya’s cutomer portfolio included another eight well-known Managed Service Providers (MSPs) that were breached along with their customers. “We have 3 Huntress partners that are impacted with roughly 200 businesses encrypted,” John Hammond told BleepingComputer.
There is no definitive number know of the total number of companies who got encrypted with Revil ransomware via this Kaseya VSA supply chain attack, but we estimate there are close to a thousand. We will keep you updated as the situation develops.
How Can You Prevent This from Happening to You
Supply chains have tremendous advantages but can also pose a liability, as these notorious supply chain attacks have proven. To minimize your risk to become breached via a supply chain, you need to make sure that you sever all network connections to your supplier as soon as you get wind that they are no longer safe.
Evidence shows that it can happen to the best of us. We work with the highest standard security technology and continuosly research ways to improve it, but we believe it is every security provider’s responsibility to provide a course of action for its customers in order to cover even the most improbable and dire scenario.
Should you ever need to sever your connections to Heimdal™ until we let you know that everything is officially safe again, simply follow these steps from your local Firewall.
Meawhile, don’t forget that even if a ransomware strain does make its way into your system, it is powerless to act if you have an encryptor blocker installed. Heimdal™’s Ransomware Encryption Protection is a powerful solution that protects your endpoints from any unauthorized encryption attempt.