Ransomware
IT Management Platform Kaseya Hit With Sodinokibi/REvil Ransomware Attack
Kaseya has been hit with a REvil (aka Sodinokibi) ransomware attack at the dawn of the Fourth of July weekend. The attack was geared toward their on-premises VSA product.
Update as of July 23, 1:48 a.m. EDT: Kaseya, with the help of a third party, has obtained a decryptor tool for the victims of the ransomware attack.
Update as of July 13, 1:34 a.m. EDT: Kaseya released its patch on July 11, 4:30 p.m. EDT. As of July 12, 7:30 a.m. EDT, its SaaS is now 100% online.
Update as of July 6, 10:37 p.m. EDT: Trend Micro released a free assessment service that checks environments for the presence of Kaseya vulnerabilities that are related to this attack.
Update as of July 6, 12:02 a.m. EDT: Kaseya has confirmed that a patch will be available after its SaaS servers go online.
Update as of July 5, 1:48 a.m. EDT: The Dutch Security Hotline (DIVD CSIRT) has identified CVE-2021-30116 as one of the zero-day vulnerabilities used in the ransomware attacks. The Kaseya vulnerability was found as part of research conducted into system administration tools; Kaseya and DIVD-CSIRT were working on a coordinated disclosure release before this incident. In addition, reports of REvil pushing for a deal for a universal decryptor have also surfaced.
Kaseya, a company that provides IT management software to managed service providers (MSPs) and IT companies, has been hit with a REvil (aka Sodinokibi) ransomware attack at the dawn of the Fourth of July weekend, as reported in the company’s own announcement.
The company describes it as a “sophisticated cyberattack” that was geared toward its on-premises VSA product. The company advised all its customers to shut down their on-premises VSA servers until further notice.
Kaseya has decided to also immediately shut down its software-as-a-service (SaaS) servers as a conservative security measure while investigations are ongoing.
At It Again: REvil Ransomware Actors
Though technical information about the attack has yet to be released by Kaseya as of this writing, the Cybersecurity and Infrastructure Security Agency (CISA) shared that Kaseya’s VSA software was used to push a malicious script.
The VSA software, which is typically used to distribute software updates to customers, was weaponized to push a malicious PowerShell script, which then loaded the REvil ransomware payload onto customer systems. It’s also important to note that non-Kaseya customers could also be affected via their service providers.
The Sodinokibi/REvil ransomware (detected as Ransom.Win32.SODINOKIBI.YABGC) that affected Kaseya VSA disables certain services and terminates processes related to legitimate software such as browsers and productivity applications. Specifically, it terminates the following processes:
- agntsvc
- dbeng50
- dbsnmp
- encsvc
- excel
- firefox
- infopath
- isqlplussvc
- msaccess
- mspub
- mydesktopqos
- mydesktopservice
- ocautoupds
- ocomm
- ocssd
- onenote
- oracle
- outlook
- powerpnt
- sqbcoreservice
- sql
- steam
- synctime
- tbirdconfig
- thebat
- thunderbird
- visio
- winword
- wordpad
- xfssvccon
Sodinokibi terminates itself if it detects the operating system language to be any of the following:
- Arabic – Syria
- Armenian Eastern
- Azeri Cyrillic
- Azeri Latin
- Belarusian
- Georgian
- Kazakh
- Kyrgyz Cyrillic
- Romanian – Moldova
- Russian
- Russian – Moldova
- Syriac
- Tajik
- Tatar
- Turkmen
- Ukranian
- Uzbek Cyrillic
- Uzbek Latin
The REvil ransomware is believed to be the successor of GandCrab, and is known for targeting high-profile victims and employing double extortion tactics to push victims into paying ransom. REvil actors were also behind recent massive ransomware attacks that targeted meat supplier JBS.
Security Recommendations and Trend Micro Detections, Solutions
While investigations are still underway, it’s important for affected users to follow Kaseya’s guidance on keeping their systems protected from further compromise. As of July 3, 2021, 9 p.m. EDT, the company has advised that all on-premises VSA servers should be shut down and should be restarted only after a patch is deployed.
Because ransomware can have multiple entry points and encryption capabilities, both a good backup policy and a multilayered approach to security are necessary for enterprises to defend their networks and protect their business-critical data:
- Email and web protection prevent ransomware from entering your network by blocking spam and access to malicious links.
- Server protection protects servers from exploitable vulnerabilities.
- Network protection shields your network by preventing ransomware from spreading from server to endpoint or from endpoint to endpoint.
- Endpoint protection shields endpoints by preventing ransomware from running.
Trend Micro solutions provide an effective first line of defence against the ransomware through predictive machine learning (ML) and behaviour monitoring capabilities. The full details are featured in our security alert.
Observed indicators of compromise (IOCs)
- Ransomware encryptor is dropped by {Path}\agent.exe, detected as Trojan.Win32.SODINSTALL.YABGC, via DLL Side-loading technique using a legitimate executable to load a malicious DLL (Ransom.Win32.SODINOKIBI.YABGC)
- The VSA procedure is named “Kaseya VSA Agent Hot-fix”.
- At least two specific tasks, encryption and process termination, run what appears to be a specific PowerShell script with the encryptor mentioned previously.
SHA-256 | Filename | Trend Micro Detection Name |
D55f983c994caa160aec63a59f6b4250fae67fb3e8c43a388aec60a4a6978e9f1e | Agent.exe | Trojan.Win32.SODINSTALL.YABGC |
E2a24ab94f865caeacdf2c3ad015f31f23008ac6db8312c2cbfb32e4a5466ea2 | mpsvc.dll (Side-loaded DLL) | Ransom.Win32.SODINOKIBI.YABGC |
8dd620d9aeb35960bb766458c8890ede987c33d239cf730f93fae49d90ae759dd | mpsvc.dll (Side-loaded DLL, alternate version) | |
2093c195b6c1fd6ab9e1110c13096c5fae130b75a84a27748007ae52d9e951643 | Agent.crt | Trojan.Win32.SODINSTALL.YABGC |
All of these specific files are currently detected by Trend Micro antimalware solutions.
Trend Micro is also actively blocking several known malicious domain disease vectors that are associated with the campaign via Trend Micro Web Reputation Services (WRS). Trend Micro products with predictive machine learning (ML) and behaviour monitoring also help detect and block this threat.
To keep up with the ever-evolving ransomware landscape, organisations need to have a multilayered cybersecurity defence system. It’s equally important to avoid siloed threat information from their networks, endpoints, emails, and servers. This can be achieved by having visibility over all disparate security layers.
Trend Micro Vision One™ is a purpose-built threat defence platform that provides added value and new benefits beyond extended detection and response (XDR) solutions, allowing organisations to see more and respond faster. Providing deep and broad XDR capabilities that collect and automatically correlate data across multiple security layers — email, endpoints, servers, cloud workloads, and networks — Trend Micro Vision One prevents the majority of attacks with automated protection.