After the bold ransomware attack led by the REvil cyber criminal gang, CISA and the FBI emerged with guidance for affected enterprises.

The REvil cyber gang assumed responsibility for Friday’s massive ransomware attack that hit the IT firm known as Kaseya Ltd. The actors behind the attack allege that it disrupted 1 million systems tied to Kaseya services and request $70 million bitcoin in exchange for decryption tools. Hundreds of organizations were affected.

The attack has been dubbed the largest ransomware attack on record. Firms in the financial services, travel and public sector were affected across 17 countries. The Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) provided support to affected organizations.

This software supply chain attack is believed to have touched as many as 1,500 firms, including managed service providers (MSPs), which manage networks on behalf of other firms.

REvil attack, deep-dive

On Sunday, the REvil cyber gang left a message in an online forum, indicating their culpability. The message read:

“On Friday (02.07.2021) we launched an attack on MSP providers. More than a million systems were infected. If anyone wants to negotiate about universal decryptor – our price is 70,000,000$ in BTC and we will publish publicly decryptor that decrypts files of all victims, so everyone will be able to recover from attack in less than an hour. If you are interested in such deal – contact us using victims ‘readme’ file instructions. – REvil.”

According to a detailed analysis, REvil emerged in April of 2019, after the GandCrab cyber gang disbursed. The REvil ransomware group has made appearances on underground forums for years. It’s known for its Ransomware-as-a-Service (RaaS) operations.

CISA and FBI: Kaseya update

On Saturday, the FBI released a statement making known their investigation into the attack in tandem with CISA.

“We encourage all who might be affected to employ the recommended mitigations and for users to follow Kaseya’s guidance to shut down VSA servers immediately. As always, we stand ready to assist any impacted entities,” read a security alert.

Since then, the FBI updated guidance, telling affected companies to adhere to newly developed mitigations. Attacks should also be reported to the FBI and CISA, they said.

“If you feel your systems have been compromised as a result of the Kaseya ransomware incident, we encourage you to employ all recommended mitigations, follow guidance from Kaseya and the Cybersecurity and Infrastructure Security Agency (CISA) to shut down your VSA servers immediately, and report your compromise to the FBI at ic3.gov.”

CISA recommends the following mitigations:

  • Download the Kaseya VSA Detection Tool. Systems can be analyzed for indicators of compromise (IoC) via this tool.
  • Deploy and enforce multi-factor authentication (MFA) on accounts that are under your organization’s control; especially for customer-facing services.
  • Implement allow listings, which can limit communication with remote monitoring and management (RMM) capabilities.
  • In addition, keep administrative interfaces of RMM behind a virtual private network (VPN) or a firewall on a dedicated admin system.

On Sunday, US President Joe Biden requested for intelligence agencies to learn more about this attack. At the time, Biden stated that uncertainty surrounded the exact perpetrators.

Analysis of attack

An analysis of the attack found that the attackers hit systems by initially deploying a malicious dropper via a PowerShell script. This was executed via Kaseya’s software.

The script disables Microsoft Defender for Endpoint protection features. It then leverages the certutil.exe utility to identify a malicious executable (agent.exe). This drops a Microsoft binary and malicious library, which make up the REvil ransomware. A side-loading technique is then used to load the legitimate Microsoft binary.

Researchers state that more than 5,000 attack attempts have been executed by REvil across 22 nations.

For more on this story, check out Cyber Talk’s earlier coverage.