EXECUTIVE SUMMARY:

How would you respond if your clients were suddenly affected by ransomware? This firm stepped up to the plate, serving as an example for other enterprises.

On July 2nd, Dutch technology provider, VelzArt, fell victim to the Kaseya ransomware attack. VelzArt provides and manages technologies for smaller businesses. After the attack hit, VelzArt worked 24/7 to transport affected clients’ computers back to their corporate headquarters for repair. At that point in time, there was no Kaseya vsa patch (or anything along those lines).

VelzArt retains just over 30 employees and represents one of hundreds of organizations affected by the Kaseya ransomware episode. The vast majority of the firm’s clients felt the shock of the Kaseya breach.

VelzArt’s clients

VelzArt elected not to pay a ransom to hackers. Its customers also avoided extortion. But how, given that the Kaseya vsa patch rollout took some time?

On July 2nd, the day of the attack, systems that were switched on between 6pm and 8pm experienced disruptions. The ransomware fully encrypted some systems, while leaving others partially accessible.

After learning of the attack, VelzArt staff hastily fixed client computers over the weekend as to enable them to function in time for business hours on Monday. Non-VelzArt tech employees from other IT services groups in the Netherlands also lent a hand.

Experts were largely able to restore systems remotely. Shortly thereafter, all client systems were operating normally; Kasya vsa patch or not.

Unlike most firms that experience ransomware attacks, VelzArt blogged extensively about how the attack affected customers. The firm also meticulously detailed the process underway to render clients’ computers functional again. Everyone received a thank you for their help, patience and understanding.

Important lessons from VelzArt

  • Communication. The firm immediately communicated critical information to clients. A variety of communication tools played a role; phone, mail, newsletters. As noted previously, the company’s blog also functioned as an integral element of the communication initiative.
  • Backups. VelzArt states that the affected servers and workstations that it dealt with could be restored from backups without major issues. While restoring from backups takes time, in this instance, it prevented organizations from paying ransoms.
  • Collaborative recovery. In recovering from the Kaseya ransomware attack, VelzArt received help from outside talent. This made the restoration process faster and smoother than it would have been otherwise.

To meet specific management needs for customers, VelzArt started a partnership with Kaseya in 2010. VelzArt was in the process of transitioning to a different remote administration platform when the Kaseya attack struck. A handful of its 500 customers still relied on Kaseya’s technologies at the time of the attack.

Kaseya attack fallout

Reverberations from the Kaseya attack were felt among supermarket chains, kindergartens, and Swedish train operators, among other groups. The REvil hackers responsible for the attack had initially asked for $70 million bitcoin from Kaseya in an extortion payment. Later, the hackers aimed to charge individual companies between $100,000 and $500,000.

More info on the Kaseya vsa attack

After the bold ransomware attack led by the REvil cyber criminal gang, CISA and the FBI emerged with guidance for affected enterprises.

The REvil cyber gang assumed responsibility for the massive ransomware attack that hit Kaseya Ltd. The actors behind the attack allege that it disrupted 1 million systems tied to Kaseya services and it requested $70 million bitcoin in exchange for decryption tools. Hundreds of organizations were affected.

The attack was dubbed the largest ransomware attack on record. Firms in the financial services, travel and public sector were affected across 17 countries. The Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) provided support to affected organizations.

This software supply chain attack is believed to have touched as many as 1,500 firms, including managed service providers (MSPs), which manage networks on behalf of other firms.

Kaseya vsa attack, deep-dive

The REvil cyber gang left a message in an online forum, indicating their culpability. The message read:

“On Friday (02.07.2021) we launched an attack on MSP providers. More than a million systems were infected. If anyone wants to negotiate about universal decryptor – our price is 70,000,000$ in BTC and we will publish publicly decryptor that decrypts files of all victims, so everyone will be able to recover from attack in less than an hour. If you are interested in such deal – contact us using victims ‘readme’ file instructions. – REvil.” People eagerly awaited the delivery of the Kaseya vsa patch.

According to a detailed analysis, REvil emerged in April of 2019, after the GandCrab cyber gang disbursed. The REvil ransomware group has made appearances on underground forums for years. It’s known for its Ransomware-as-a-Service (RaaS) operations.

CISA and FBI: Kaseya update

The FBI released a statement making known their investigation into the attack in tandem with CISA.

“We encourage all who might be affected to employ the recommended mitigations and for users to follow Kaseya’s guidance to shut down VSA servers immediately. As always, we stand ready to assist any impacted entities,” read a security alert.

Since then, the FBI updated guidance, telling affected companies to adhere to newly developed mitigations. Attacks should also be reported to the FBI and CISA, they said.

“If you feel your systems have been compromised as a result of the Kaseya ransomware incident, we encourage you to employ all recommended mitigations, follow guidance from Kaseya and the Cybersecurity and Infrastructure Security Agency (CISA) to shut down your VSA servers immediately, and report your compromise to the FBI at ic3.gov.”

CISA recommends the following mitigations (Kaseya vsa patch included)

  • Download the Kaseya VSA Detection Tool. Systems can be analyzed for indicators of compromise (IoC) via this tool.
  • Deploy and enforce multi-factor authentication (MFA) on accounts that are under your organization’s control; especially for customer-facing services.
  • Implement allow listings, which can limit communication with remote monitoring and management (RMM) capabilities.
  • In addition, keep administrative interfaces of RMM behind a virtual private network (VPN) or a firewall on a dedicated admin system.
  • *Update: Kaseya has released several vsa patches to help remediate issues. Install the appropriate Kaseya vsa patch update.

Analysis of attack

An analysis of the attack found that the attackers hit systems by initially deploying a malicious dropper via a PowerShell script. This was executed via Kaseya’s software.

The script disables Microsoft Defender for Endpoint protection features. It then leverages the certutil.exe utility to identify a malicious executable (agent.exe). This drops a Microsoft binary and malicious library, which make up the REvil ransomware. A side-loading technique is then used to load the legitimate Microsoft binary.

For more insights into the Kaseya attack, it’s impact, security monitoring,  patch management, Kaseya vsa patch rollout information…etc., click here.