Malware analysis

REvil ransomware: Lessons learned from a major supply chain attack

Greg Belding
October 5, 2021 by
Greg Belding

One of the most popular recent ransomware attacks involved the REvil ransomware gang leveraging security flaws within the Kaseya VSA to initiate one of the largest ransomware attacks in history. As ingenious as this plan was, few organizations paid the ransom money to get their files back. Why did one of the largest ransomware attacks in history have such a poor level of performance? 

Become a certified reverse engineer!

Become a certified reverse engineer!

Get live, hands-on malware analysis training from anywhere, and become a Certified Reverse Engineering Analyst.

How did the REvil ransomware attack happen?

On July 2, 2021, REvil launched a massive ransomware attack on approximately 1,500 businesses and encrypted them all in one fell swoop. REvil’s attack focused on Kaseya VSA, a remote management solution used by managed service providers, or MSPs, to manage their customers’ services and support. Kaseya can be deployed both as a cloud-based SaaS or via an on-premise server. REvil focused on the on-premise servers, using a zero-day vulnerability to infect 60 MSPs. Kaseya keeps its administrator rights on client systems which means once the MSP is infected, their client systems become infected.

The result of this was a worldwide ransomware attack that mainly affected the retail sector and any other sector unfortunate enough to be relying on MSPs using Kaseya VSA to manage their client systems. For example, Coop is a retail/grocery store chain in Sweden that had to shut down 800 store locations because their Point of Sale (PoS) devices used Kaseya, and the ransomware took their PoS devices out of commission. This is just one example, but it shows the breadth of this ransomware attack’s reach.

This may lead you to think that this ransomware attack was one of the costliest in the history of ransomware attacks but not so fast. It turns out that despite the broad reach of this ransomware attack, only two companies have paid the REvil ransomware gang to have their files encrypted. This likely raises a lot of questions, and the lessons learned presented below will help fill in the gaps of this story and show you just why this historically broad attack ended up as a failure for the ransomware group.

Takeaways from the REvil Kaseya ransomware attack

This ransomware attack has some lessons baked into it that will benefit many organizations. It also can serve as a good “teaching moment” for what happens when you do things the wrong way – both on the side of the ransomware gang and Kaseya VSA as well. Below are the lessons we can glean from it.

Don’t stray too far from the tried-and-true

Possibly the most striking lesson to be learned from the REvil ransomware attack on Kaseya client systems is their straying from the tried-and-true tactics and procedures. The most important of which in this case was the stealing of data and deleting data backups. Typically, ransomware attacks involve proving that the target organization’s data has been stolen (and backups deleted). This is intended to give the organization a solid incentive to pay the ransom to get access to their data restored. Instead, the REvil ransomware attack did not steal data or delete target client data backups.

Other changes to the standard ransomware attack playbook are that REvil did not have unfettered access to victim networks and relied on automation to delete client backups. It should be noted that this method did not work, and backups were not deleted.

This deviation from the standard ransomware attack tactics and procedures was the biggest saving grace for impacted organizations. Two organizations did pay up – with one victim paying $220,000 to return their encrypted data. However, that is it. Not following this tried-and-true ransomware step meant that the ransomware group did not have much leverage over their victims.

Listen to vulnerability reports

Kaseya VSA technically does not have clean hands here as they were notified well in advance of vulnerabilities in their VSA and only took partial measures to fix them. In April 2021, the Dutch Institute for Vulnerability Disclosure (DIVID) reported seven vulnerabilities to Kaseya. These vulnerabilities were:

  • CVE-2021-30116
  • CVE-2021-30117
  • CVE-2021-30118
  • CVE-2021-30119
  • CVE-2021-30120
  • CVE-2021-30121
  • CVE-2021-30201

Response from Kasey entailed patching their VSA SaaS but not their on-premise server version. While researchers have not been able to determine with 100% certainty, it is believed that a combination of CVE-2021-30116, “”30119, and “”30120 were used.

Don’t neglect your backups

Researchers investigating the REvil ransomware attack have noted that the organizations that paid up the ransom money had poor backups to begin with. It may come off as slightly “Information Security 101.” Still, it should be stressed that having a strong data backup plan in place will help avoid your organization having to pay the ransom after a similar attack. Remember, REvil did not actually delete any backups, so impacted organizations simply had to restore from the latest backup to recover the vast majority of their data. 

Become a certified reverse engineer!

Become a certified reverse engineer!

Get live, hands-on malware analysis training from anywhere, and become a Certified Reverse Engineering Analyst.

Lessons learned from REvil ransomware attacks

The REvil ransomware attack on Kaseya VSA client systems was unprecedented, impacting 60 MSPs and 15,000 client organizations. Despite this size, only two organizations paid the ransom that REvil demanded. This case should serve as a teachable moment to all about what happens when you overlook the basics.

 

Sources 

Greg Belding
Greg Belding

Greg is a Veteran IT Professional working in the Healthcare field. He enjoys Information Security, creating Information Defensive Strategy, and writing – both as a Cybersecurity Blogger as well as for fun.