Kaseya VSA Supply-Chain Ransomware Attack

Discussion in 'malware problems & news' started by ronjor, Jul 2, 2021.

  1. hawki

    hawki Registered Member

    Joined:
    Dec 17, 2008
    Posts:
    6,065
    Location:
    DC Metro Area
    "REvil gang suddenly goes silent leaving victims unable to recover systems

    The dark web sites operated by the notorious REvil ransomware group suddenly went offline on Tuesday, prompting speculation that the US or Russian governments stepped in. Meanwhile, victims and the security companies working for them to recover data have been put in a more difficult situation...

    'Victims have been left without the ability to recover the decryption software necessary to restore encrypted networks, our clients being among them,' Mike Fowler, vice president of intelligence services at GroupSense, a company that provides ransom negotiation services, tells CSO. 'It is our hope that the organization responsible for the takedowns was able to gather the necessary software needed to provide the decryption keys when supplied with the victim-specific encryption keys. If not, we consider it computationally infeasible that the victims will be able to recover their data via other means'..."

    https://www.csoonline.com/article/3...eaving-victims-unable-to-recover-systems.html
     
  2. hawki

    hawki Registered Member

    Joined:
    Dec 17, 2008
    Posts:
    6,065
    Location:
    DC Metro Area
    "Hacking group behind widespread ransomware attacks disappears online...

    'Someone went in and removed the IP address' linked to the domain hosting the group’s sites, said Dmitri Alperovitch, president of the think tank Silverado Policy Accelerator and former chief technology officer of the cyber firm CrowdStrike. The group’s blog is reachable on the dark web, a portion of the Internet that is not easily navigable by search engine, he said. But the more critical sites, which are used to negotiate with the group and receive decryption tools, are on the regular Internet, he said. All were down Tuesday...

    The reason behind the site outage is unclear...

    The servers do not appear to have been hacked, so this is unlikely to be an offensive cyber operation, Alperovitch said. He also said the fact that the domains were not fully seized made it doubtful that it was a law enforcement operation..."

    https://www.washingtonpost.com/technology/2021/07/13/revil-disappears-kaseya-hack/
     
    Last edited: Jul 14, 2021
  3. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
  4. guest

    guest Guest

    Morgan County Schools’ computers hit by holiday ransomware attack
    July 14, 2021
    https://www.morganmessenger.com/202...s-computers-hit-by-holiday-ransomware-attack/
     
  5. guest

    guest Guest

    Kaseya attack: "Yes, we can do something about this, and we should do something about this"
    July 16, 2021
    https://www.techrepublic.com/articl...t-this-and-we-should-do-something-about-this/
     
  6. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    Yes, but I assume that the other processes that were used in this attack were not whitelisted, so Sophos should have been able to block it. I'm talking about cmd.exe, cert.exe, msmpeng.exe and mpsvc.dll. They are all listed in the C:\Windows folder.
     
  7. hawki

    hawki Registered Member

    Joined:
    Dec 17, 2008
    Posts:
    6,065
    Location:
    DC Metro Area
    "Company hit by massive ransomware attack [Kaseya] obtains key to unlock customer files

    The company hit by a massive ransomware attack just before Fourth of July weekend said it has obtained a computer key to unlock the files of hundreds of companies.

    Kaseya, an information technology company, said it got the universal decryptor key from a 'trusted third party' and has validated that it works. Spokeswoman Dana Liedholm said Kaseya received the key yesterday and has been working with customers to roll it out...

    Liedholm declined to say whether Kaseya paid a ransom to obtain the key..."

    https://www.washingtonpost.com/technology/2021/07/22/kaseya-ransomware-revil-key/
     
  8. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    11,126
    Location:
    U.S.A. (South)
    Wow. That's got to be a welcome relief for many affected and quite a revelation. Danged encryption anyway. What a horrific and dangerous discovery when in the hands of ruthless people of mischief. Just like wireless cellphones.
     
  9. plat

    plat Registered Member

    Joined:
    Dec 19, 2018
    Posts:
    2,233
    Location:
    Brooklyn, NY
  10. guest

    guest Guest

    Kaseya Says It Did Not Pay Ransom to Obtain Universal Decryptor
    July 26, 2021
    https://www.databreachtoday.com/kaseya-says-did-pay-ransom-to-obtain-universal-decryptor-a-17144
     
  11. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    11,126
    Location:
    U.S.A. (South)
  12. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    Researchers warn of unpatched Kaseya Unitrends backup vulnerabilities
    https://www.bleepingcomputer.com/ne...ched-kaseya-unitrends-backup-vulnerabilities/
     
  13. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    11,126
    Location:
    U.S.A. (South)
    :thumb: Getting them lazy's on the ball now. Wake Up call. Take security security EXTRA serious not lull into false sense of confidence. Just occurred to me big dog services like this may have to get off the pot and start keeping equipment manned 24/7 instead of depending on pager alerts
     
  14. guest

    guest Guest

    Kaseya's universal REvil decryption key leaked on a hacking forum
    August 11, 2021
    https://www.bleepingcomputer.com/ne...vil-decryption-key-leaked-on-a-hacking-forum/
     
  15. guest

    guest Guest

    Kaseya Ransomware Attack Update: New Authentication Patch Released
    August 12, 2021
    https://www.crn.com/news/channel-pr...tack-update-new-authentication-patch-released
     
  16. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    BTW, not only Sophos but CrowdStrike also claims it would have been able to stop the Kaseya attack in this article:

    https://www.crowdstrike.com/blog/how-crowdstrike-stops-revil-ransomware-from-kaseya-attack/
     
  17. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    11,126
    Location:
    U.S.A. (South)
    Big outfits like that always seem to be complacent until the inevitable issues their entire industry a rude wake up call. Taking anything and anyone peddling server security for their word that their product is the best. But to be fair with so many vendors sparring for new enterprise customers it can and always is a daunting task making the best decision. That's where company data security research enters the picture. Your company security and the security of your customer base is only as good as your IN-HOUSE Data Protection Specialist is. He is ultimately the one, or a board of them, who settles on the vendor they already determined is best suited for that occupation.
     
  18. guest

    guest Guest

    Kaseya patches Unitrends server zero-days, issues client mitigations
    August 26, 2021
    https://www.bleepingcomputer.com/ne...s-server-zero-days-issues-client-mitigations/
     
  19. hawki

    hawki Registered Member

    Joined:
    Dec 17, 2008
    Posts:
    6,065
    Location:
    DC Metro Area
    "Attackers' fumble gave out Kaseya decryptor key

    The REvil cybercriminal group said the universal decryptor key for all victims of the Kaseya ransomware attack was accidentally released to victims by a coder.

    'Our encryption process allows us to generate either a universal decryptor key or individual keys for each machine,' REvil wrote Friday morning on an illicit Russian-language forum called Exploit. 'One of our coders misclicked and generated a universal key, and issued the universal decryptor key along with a bunch of keys for one machine. That’s how we **** ourselves.'..."

    https://www.crn.com.au/news/attackers-fumble-gave-out-kaseya-decryptor-key-569723
     
  20. hawki

    hawki Registered Member

    Joined:
    Dec 17, 2008
    Posts:
    6,065
    Location:
    DC Metro Area
    "FBI held back ransomware decryption key from businesses to run operation targeting hackers...

    The FBI refrained for almost three weeks from helping to unlock the computers of hundreds of businesses and institutions hobbled by a major ransomware attack this summer, even though the bureau had secretly obtained the digital key needed to do so...

    The key was obtained through access to the servers of the Russia-based criminal gang behind the July attack...

    But the FBI held on to the key, with the agreement of other agencies, in part because it was planning to carry out an operation to disrupt the hackers, a group known as REvil, and the bureau did not want to tip them off. Also, a government assessment found the harm was not as severe as initially feared. The planned takedown never occurred because in mid-July REvil’s platform went offline — without U.S. government intervention — and the hackers disappeared before the FBI had a chance to execute its plan, according to the current and former officials..."

    https://www.washingtonpost.com/nati...9417d0-f15f-11eb-a452-4da5fe48582d_story.html
     
  21. cruelsister

    cruelsister Registered Member

    Joined:
    Nov 6, 2007
    Posts:
    1,649
    Location:
    Paris
    The withholding certainly didn't stop REvil from coding BlackMatter, the new build (2.5) of which is a nastily pretty piece of work.
     
  22. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    OK, so they are back at it again? Perhaps you can give some more info about BlackMatter, what's so nasty about it, is it using any new techniques and would tools like AppCheck and HMPA be able to stop it?
     
  23. stapp

    stapp Global Moderator

    Joined:
    Jan 12, 2006
    Posts:
    23,939
    Location:
    UK
  24. deugniet

    deugniet Registered Member

    Joined:
    Nov 25, 2013
    Posts:
    1,242
  25. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    11,126
    Location:
    U.S.A. (South)
    @Rasheed187 - Think that is bad. Wait until they begin slamming our own (regular user's) ISP's on a wide scale and gum up those works too. Ugh
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.