REvil Ransomware

Responding to Kaseya VSA Vulnerability & REvil Ransomware Attack

This post was last updated on October 6th, 2021 at 03:58 pm

Kaseya notified customers at 4PM on Friday that ~40 IT Managed Services Providers (MSPs) have been compromised via a vulnerability in their VSA Application. Kaseya provides IT management tools to some 40,000 businesses globally. Because an MSP might manage IT for hundreds of small businesses each, the number of true victims is difficult to confirm but it is now considered by some experts to be the LARGEST synchronized ransomware attack ever conducted, initial estimates showing over 1,500+ businesses impacted worldwide. (It remains to be seen if the impact exceeds 2017’s WannaCry attack, which impacted 200,000 systems in 150 countries)

VSA is a remote monitoring & management solution that helps MSPs monitor and control workstations across their customers. This application is particularly dangerous in the wrong hands b/c it sits inside the customer’s network and is trusted with system-level privileges across ALL Hosts under management. This vulnerability and the subsequent attack enabled the threat actors to rapidly distribute malware and encrypt all hosts under management for that MSP and its customers that use that VSA application.

How to deal with Kaseya VSA:

This vulnerability affects on-prem (not SaaS) versions of Kaseya VSA. If you run this, shut it down immediately — most organizations we work with have already done so.

While we wait for a patch to be released, hunt for Indicators of Compromise (IOCs). Although Kaseya released a detection tool, this is NOT recommended given it’s simplicity and inability to detect broader REvil compromise indicators which change frequently.

Your best option is to scan your network with Infocyte, an MDR platform that combines forensic detection capabilties with MITRE behavioral analytics. Infocyte has been used to detect and respond to this attack in several environments without updates. For those looking for expert help, you can also use Infocyte’s Ransomware Threat Assessment to investigate and eliminate the threat across your entire network.

If you want to start on your own and are looking for a tool to help as soon as possible we’re offering limited Infocyte Platform access for free.

CISA is also working to establish known IOCs and recovery steps here. In the interim, if Ransomware is active or staging, you can use the CISA detection & recovery guides.

Techniques to look out for:

  • Huntress reported the early IOCs and behaviors to look for during an active exploit:
    • Attacker (reported to be REvil) uses Powershell to disable host defenses (Anti-virus) and download the first malware stages. This file is reported to be named: c:\kworking\agent.exe
    • Behaviors:
      • [Random Time Delay] –> "C:\WINDOWS\system32\cmd.exe" /c ping -n 4979 > nul
        [Disable Malware Protection] –> C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Set-MpPreference -DisableRealtimeMonitoring $true -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
      • [Rename System Utility] –> copy /Y C:\Windows\System32\certutil.exe C:\Windows\cert.exe
      • [Modify Hash of System Utility] –> echo %RANDOM% >> C:\Windows\cert.exe
      • [Decode Malware] –> C:\Windows\cert.exe -decode c:\kworking\agent.crt c:\kworking\agent.exe
      • [Cleanup Stagers] –> del /q /f c:\kworking\agent.crt C:\Windows\cert.exe
      • [Execute Encryptor] –> c:\kworking\agent.exe

In the initial attack over the weekend, we have not detected additional malware to maintain access to these enviroments but it’s 100% within REvil’s known procedures to do so. With Kaseya VSA’s being taken offline and due to be patched, any VSAs still online will likely be hit with Cobalt Strike or other stealthy remote access tools as well.

  • If they deploy Cobalt Strike or other Remote Access malware to maintain access to these networks, you can find them by:
    • Scanning live system process for memory resident malware
    • Monitor for suspicious powershell and shell activity where the parent process is a system process, and/or
    • Look for persistence references with powershell commands in registry run keys, shortcut locations, and service manager.
  • All of theses actions and behaviors are monitored and alerted via the Infocyte MDR service. If you’re looking for a tool to help as soon as possible, we’re offering limited Infocyte Platform access for free. Get started here.

The REvil group is known to use benign recon and intel gathering techniques that can safely determine capabilities of their victims before exploitation. This group tends to avoid well defended organizations and victims with capabilities to find them — like behavioral detection and response capabilities similar to those provided by Infocyte and our partners. When they do want to attack a defended organization, they will utilize initial stages meant to temporarily disable malware protection prior to doing so.

Once recon is performed, they spread fully through the network and begin PR campaigns prior to execution of the encryption/ransom. This is an opportunity window for detection and mitigation if you have an active MDR service watching for these. Infocyte, for instance, has behavioral rules that will identify all of these actions, giving you time to respond and mitigate the more damaging ransom stage.

If you’re looking for a tool to help as soon as possible, we’re offering limited Infocyte Platform access for free. Get started here.

Posted in