Published: July 02 , 2021 on our newsletter Security Fraud News & Alerts Newsletter.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) is working to understand a ransomware attack on the widely used IT management company, Kaseya. In an advisory, Kaseya strongly urged MSPs to immediately shut down “on-premises VSA servers amid a potential cyberattack that may be targeting the RMM (remote monitoring and management) software.” In the meantime, Christopher Krebs, former director of CISA, tweeted “If you use Kaseya VSA, shut it down *now*…”
Analysis by Emisoft and Huntress confirmed it was indeed REvil causing the issues and that at least 200 customers of Huntress alone have been affected.
According to Huntress, the ransomware seems to have been embedded in Kaseya VSA, which helped spread REvil. The VSA is used by IT management firms for distributing software updates to customers. However, it isn’t known how it got there in the first place.
As we know now, often malware enters a network via phishing. Always use extreme caution when opening attachments or clicking links from a) unknown senders, b) from untrusted senders, c) that you are not expecting to receive.
This is similar to what happened in the SolarWinds supply chain attack. However, that was used for spying, where this one is being used to hijack the systems.
In addition, researchers from MalwareHuntersTeam have confirmed that a Linux encryptor has been added to the REvil ransomware and is now being used to encrypt Vmware ESXi virtual machines. A researcher explained that this new variant is an ELF64 executable and possesses the same configuration options as does the Windows version.
Once the ESXi servers are executed, the Linux version of the ransomware runs the esxcli command line tool, listing all running ESXi virtual machines and subsequently close the virtual machine disk (VMDK) files stored in the /vmfs/ folder. Then REvil ransomware goes to work encrypting the files.
The cybercriminal gang is believed to be operating out of Eastern Europe or Russia.
Keep up to date: Sign up for our Fraud alerts and Updates newsletter
Want to schedule a conversation? Please email us at email@example.com