Kaseya VSA Supply-Chain Ransomware Attack

Discussion in 'malware problems & news' started by ronjor, Jul 2, 2021.

  1. hawki

    hawki Registered Member

    Joined:
    Dec 17, 2008
    Posts:
    5,598
    Location:
    DC Metro Area
    "REvil gang suddenly goes silent leaving victims unable to recover systems

    The dark web sites operated by the notorious REvil ransomware group suddenly went offline on Tuesday, prompting speculation that the US or Russian governments stepped in. Meanwhile, victims and the security companies working for them to recover data have been put in a more difficult situation...

    'Victims have been left without the ability to recover the decryption software necessary to restore encrypted networks, our clients being among them,' Mike Fowler, vice president of intelligence services at GroupSense, a company that provides ransom negotiation services, tells CSO. 'It is our hope that the organization responsible for the takedowns was able to gather the necessary software needed to provide the decryption keys when supplied with the victim-specific encryption keys. If not, we consider it computationally infeasible that the victims will be able to recover their data via other means'..."

    https://www.csoonline.com/article/3...eaving-victims-unable-to-recover-systems.html
     
  2. hawki

    hawki Registered Member

    Joined:
    Dec 17, 2008
    Posts:
    5,598
    Location:
    DC Metro Area
    "Hacking group behind widespread ransomware attacks disappears online...

    'Someone went in and removed the IP address' linked to the domain hosting the group’s sites, said Dmitri Alperovitch, president of the think tank Silverado Policy Accelerator and former chief technology officer of the cyber firm CrowdStrike. The group’s blog is reachable on the dark web, a portion of the Internet that is not easily navigable by search engine, he said. But the more critical sites, which are used to negotiate with the group and receive decryption tools, are on the regular Internet, he said. All were down Tuesday...

    The reason behind the site outage is unclear...

    The servers do not appear to have been hacked, so this is unlikely to be an offensive cyber operation, Alperovitch said. He also said the fact that the domains were not fully seized made it doubtful that it was a law enforcement operation..."

    https://www.washingtonpost.com/technology/2021/07/13/revil-disappears-kaseya-hack/
     
    Last edited: Jul 14, 2021
  3. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,394
    Location:
    U.S.A.
  4. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    39,295
    Morgan County Schools’ computers hit by holiday ransomware attack
    July 14, 2021
    https://www.morganmessenger.com/202...s-computers-hit-by-holiday-ransomware-attack/
     
  5. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    39,295
    Kaseya attack: "Yes, we can do something about this, and we should do something about this"
    July 16, 2021
    https://www.techrepublic.com/articl...t-this-and-we-should-do-something-about-this/
     
  6. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    14,373
    Location:
    The Netherlands
    Yes, but I assume that the other processes that were used in this attack were not whitelisted, so Sophos should have been able to block it. I'm talking about cmd.exe, cert.exe, msmpeng.exe and mpsvc.dll. They are all listed in the C:\Windows folder.
     
  7. hawki

    hawki Registered Member

    Joined:
    Dec 17, 2008
    Posts:
    5,598
    Location:
    DC Metro Area
    "Company hit by massive ransomware attack [Kaseya] obtains key to unlock customer files

    The company hit by a massive ransomware attack just before Fourth of July weekend said it has obtained a computer key to unlock the files of hundreds of companies.

    Kaseya, an information technology company, said it got the universal decryptor key from a 'trusted third party' and has validated that it works. Spokeswoman Dana Liedholm said Kaseya received the key yesterday and has been working with customers to roll it out...

    Liedholm declined to say whether Kaseya paid a ransom to obtain the key..."

    https://www.washingtonpost.com/technology/2021/07/22/kaseya-ransomware-revil-key/
     
  8. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    9,588
    Location:
    U.S.A. (South)
    Wow. That's got to be a welcome relief for many affected and quite a revelation. Danged encryption anyway. What a horrific and dangerous discovery when in the hands of ruthless people of mischief. Just like wireless cellphones.
     
  9. plat1098

    plat1098 Registered Member

    Joined:
    Dec 19, 2018
    Posts:
    1,067
    Location:
    Brooklyn, NY
  10. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    39,295
    Kaseya Says It Did Not Pay Ransom to Obtain Universal Decryptor
    July 26, 2021
    https://www.databreachtoday.com/kaseya-says-did-pay-ransom-to-obtain-universal-decryptor-a-17144
     
  11. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    9,588
    Location:
    U.S.A. (South)
  12. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,394
    Location:
    U.S.A.
    Researchers warn of unpatched Kaseya Unitrends backup vulnerabilities
    https://www.bleepingcomputer.com/ne...ched-kaseya-unitrends-backup-vulnerabilities/
     
  13. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    9,588
    Location:
    U.S.A. (South)
    :thumb: Getting them lazy's on the ball now. Wake Up call. Take security security EXTRA serious not lull into false sense of confidence. Just occurred to me big dog services like this may have to get off the pot and start keeping equipment manned 24/7 instead of depending on pager alerts
     
  14. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    39,295
    Kaseya's universal REvil decryption key leaked on a hacking forum
    August 11, 2021
    https://www.bleepingcomputer.com/ne...vil-decryption-key-leaked-on-a-hacking-forum/
     
  15. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    39,295
    Kaseya Ransomware Attack Update: New Authentication Patch Released
    August 12, 2021
    https://www.crn.com/news/channel-pr...tack-update-new-authentication-patch-released
     
  16. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    14,373
    Location:
    The Netherlands
    BTW, not only Sophos but CrowdStrike also claims it would have been able to stop the Kaseya attack in this article:

    https://www.crowdstrike.com/blog/how-crowdstrike-stops-revil-ransomware-from-kaseya-attack/
     
  17. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    9,588
    Location:
    U.S.A. (South)
    Big outfits like that always seem to be complacent until the inevitable issues their entire industry a rude wake up call. Taking anything and anyone peddling server security for their word that their product is the best. But to be fair with so many vendors sparring for new enterprise customers it can and always is a daunting task making the best decision. That's where company data security research enters the picture. Your company security and the security of your customer base is only as good as your IN-HOUSE Data Protection Specialist is. He is ultimately the one, or a board of them, who settles on the vendor they already determined is best suited for that occupation.
     
  18. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    39,295
    Kaseya patches Unitrends server zero-days, issues client mitigations
    August 26, 2021
    https://www.bleepingcomputer.com/ne...s-server-zero-days-issues-client-mitigations/
     
  19. hawki

    hawki Registered Member

    Joined:
    Dec 17, 2008
    Posts:
    5,598
    Location:
    DC Metro Area
    "Attackers' fumble gave out Kaseya decryptor key

    The REvil cybercriminal group said the universal decryptor key for all victims of the Kaseya ransomware attack was accidentally released to victims by a coder.

    'Our encryption process allows us to generate either a universal decryptor key or individual keys for each machine,' REvil wrote Friday morning on an illicit Russian-language forum called Exploit. 'One of our coders misclicked and generated a universal key, and issued the universal decryptor key along with a bunch of keys for one machine. That’s how we **** ourselves.'..."

    https://www.crn.com.au/news/attackers-fumble-gave-out-kaseya-decryptor-key-569723
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.