Kaseya Attack Fallout: CISA, FBI Offer Guidance

Discover the aftermath of a massive ransomware attack attributed to the REvil cybergang targeting managed service provider Kaseya Limited. With claims of infecting 1 million systems and demanding a $70 million bitcoin ransom, the attack has affected thousands of companies globally, including sectors like finance, travel, and public services. Learn about the response from the Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI), offering guidance and assistance to the victims. Explore mitigation strategies and insights into the attack's execution and impact, as well as ongoing investigations into its origins. Stay informed and prepared in the face of evolving cyber threats.

1/1/20253 min read

Following a brazen ransomware attack by the REvil cybergang, CISA and FBI offer guidance to victims.

The REvil cybergang is taking credit for Friday’s massive ransomware attack against managed service provider Kaseya Limited. The criminals behind the attack claim it infected 1 million systems tied to Kaseya services and are demanding $70 million in bitcoin in exchange for a decryption key. Federal authorities put the number of affected companies in the thousands.

The attack is massive, and considered the single biggest global ransomware attack on record. Affected are financial services, travel and leisure and public sector computer systems located across 17 countries. Swedish grocer Coop, it is reported, was forced to close 800 of its stores for more than two days because its cash register software supplier was impacted by the attack.

In related developments, the United States federal agency known as the Cybersecurity and Infrastructure Security Agency (CISA) and Federal Bureau of Investigation (FBI) offered assistance to those effected by the sweeping attack.


REvil Cybergang Takes Credit  

On Sunday, the prolific cybergang known as REvil posted a message to a hacker forum taking credit for the attack. The message stated:

“On Friday (02.07.2021) we launched an attack on MSP providers. More than a million systems were infected. If anyone wants to negotiate about universal decryptor – our price is 70 000 000$ in BTC and we will publish publicly decryptor that decrypts files of all victims, so everyone will be able to recover from attack in less than an hour. If you are interested in such deal – contact us using victims “readme” file instructions.” – REvil.

According to a detailed analysis of the REvil attack by Kaspersky, the gang (also known as Sodinokibi ransomware gang) has been active since April 2019 after the GrandCrab cybergang disbanded. “REvil ransomware has been advertised on underground forums for three years and it is one of the most prolific Ransomware as a Service (RaaS) operations,” researchers wrote.


CISA and FBI Offer Guidance

In a statement released by the FBI on Saturday, the agency announced a coordinated investigation of the attack with CISA.

“We encourage all who might be affected to employ the recommended mitigations and for users to follow Kaseya’s guidance to shut down VSA servers immediately. As always, we stand ready to assist any impacted entities,” according to a security alert.

The following day the FBI updated its guidance, encouraging impacted companies to follow newly developed mitigations and report the attack to the agency.

“If you feel your systems have been compromised as a result of the Kaseya ransomware incident, we encourage you to employ all recommended mitigations, follow guidance from Kaseya and the Cybersecurity and Infrastructure Security Agency (CISA) to shut down your VSA servers immediately, and report your compromise to the FBI at ic3.gov.

CISA-FBI Guidance for MSPs and Kaseya Victims

Mitigation recommendations posted by CISA include:

  • Download the Kaseya VSA Detection Tool. This tool analyzes a system (either VSA server or managed endpoint) and determines whether any indicators of compromise (IoC) are present.

  • Enable and enforce multi-factor authentication (MFA) on every single account that is under the control of the organization, and—to the maximum extent possible—enable and enforce MFA for customer-facing services.

  • Implement allow listing to limit communication with remote monitoring and management (RMM) capabilities to known IP address pairs, and/or

  • Place administrative interfaces of RMM behind a virtual private network (VPN) or a firewall on a dedicated administrative network.

On Sunday, President Joe Biden ordered U.S. intelligence agencies to investigate the ransomware attack.

Bident said he and other US agencies were “not certain” was behind the attack. “The initial thinking was it was not the Russian government but we’re not sure yet,” he said.

Analysis of the Attack

An analysis of the attack by Kaspersky, said the attackers attacked systems by first deploying a malicious dropper via a PowerShell script which was executed through Kaseya’s software.

“This script disables Microsoft Defender for Endpoint protection features and then uses the certutil.exe utility to decode a malicious executable (agent.exe) that drops a legitimate Microsoft binary (MsMpEng.exe, an older version of Microsoft Defender) and malicious library (mpsvc.dll), which is the REvil ransomware. This library is then loaded by the legitimate MsMpEng.exe by utilizing the DLL side-loading technique (T1574.002),” Kaspersky wrote.

According to researchers, more than 5,000 attack attempts were carried out by REvil in 22 countries.