The REvil cybergang claimed responsibility for the large ransomware attack on managed service provider Kaseya Limited. The ransomware attack is huge and it is considered the single largest worldwide ransomware attack ever this year. Financial services, tourism, retail and government computer systems in several nations are all affected. The attackers claim to have infected 1 million Kaseya-connected computers and are seeking $70 million in bitcoin in exchange for a decryption key. The number of enterprises affected is estimated to be in the thousands, according to federal authorities.

The attack is massive and considered the single biggest global ransomware attack on record. Affected are financial services, travel and leisure and public sector computer systems located across many countries.

The infamous cybergang REvil claimed responsibility for the attack in a posting posted to a hacker site on Sunday. The message was as follows:

“On Friday (02.07.2021) we launched an attack on MSP providers. More than a million systems were infected. If anyone wants to negotiate about universal decryptor – our price is 70 000 000$ in BTC and we will publish publicly decryptor that decrypts files of all victims, so everyone will be able to recover from attack in less than an hour. If you are interested in such deal – contact us using victims “readme” file instructions.” – REvil.

The gang (also known as Sodinokibi ransomware group) has been operating since April 2019 when the GrandCrab cybergang split, according to a detailed investigation of the REvil attack by Kaspersky. “REvil ransomware has been advertised on underground forums for three years and it is one of the most prolific Ransomware as a Service (RaaS) operations,” researchers wrote.

Later, Deputy National Security Advisor Anne Neuberger issued a statement stating that US President Joe Biden had “directed the full resources of the government to investigate this incident” and urging anyone who believes they have been hacked to contact the FBI.

In related news, the Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) of the United States offered support to those affected by the massive cyberattack.

“We encourage all who might be affected to employ the recommended mitigations and for users to follow Kaseya’s guidance to shut down VSA servers immediately. As always, we stand ready to assist any impacted entities,” according to a security alert.

“If you feel your systems have been compromised as a result of the Kaseya ransomware incident, we encourage you to employ all recommended mitigations, follow guidance from Kaseya and the Cybersecurity and Infrastructure Security Agency (CISA”) to shut down your VSA servers immediately and report your compromise to the FBI.

Kaseya helpdesk stated –

“On Friday, July 2nd, Kaseya received reports from customers and others suggesting unusual behavior occurring on endpoints managed by the Kaseya VSA on-premises product.  Shortly thereafter, customer reports indicated that ransomware was being executed on endpoints.  In light of these reports, the executive team convened and made the decision to take two steps to try to prevent the spread of any malware:  we sent notifications to on-premises customers to shut off their VSA servers and we shut down our VSA SaaS infrastructure.

The attackers were able to exploit zero-day vulnerabilities in the VSA product to bypass authentication and run arbitrary command execution.  This allowed the attackers to leverage the standard VSA product functionality to deploy ransomware to endpoints.  There is no evidence that Kaseya’s VSA codebase has been maliciously modified.   

Mandiant was quickly engaged to investigate the incident.  We have been actively engaged with Mandiant to assess the manner and impact of the attack.  We are also cooperating with federal law enforcement to ensure that they have the information they need to investigate this attack.  Below, we provide some of the technical details that we have been able to confirm in the course of the investigation.

To date, we are aware of fewer than 60 Kaseya customers, all of which were using the VSA on-premises product, who was directly compromised by this attack.  While many of these customers provide IT services to multiple other companies, we understand the total impact thus far has been to fewer than 1,500 downstream businesses.  We have not found any evidence that any of our SaaS customers were compromised.

We have begun our restoration process and are developing and readying for deployment to our VSA customers a fix for this issue.  On July 3rd, Kaseya released a Compromise Detection Tool to customers.  This tool analyzes the user’s system (either VSA server or managed endpoint) and determines whether any indicators of compromise (IOC) are present.  To date, over 2,000 customers have downloaded the tool.  Updates on this are being posted at the following link: https://helpdesk.kaseya.com/hc/en-gb/articles/4403440684689.  We are working to bring our SaaS environment up safely and provide an update for on-premises customers.

We know there is a lot of information circulating about this incident.  Some of it is accurate, much of it is not.  We will continue our efforts to keep you updated as we have solid, actionable information to share.”