IT Management Platform Kaseya Hit With Sodinokibi/REvil Ransomware Attack
The Cybersecurity and Infrastructure Security Agency (CISA) shared that Kaseya's VSA software was used to push a malicious PowerSheII script The VSA software, Which is typically used to remotely distribute software updates and cloud-based monitoring platforms for MSPs/customers, was weaponized.
The Problem
The Cybersecurity and Infrastructure Security Agency (CISA) shared that Kaseya's VSA software was used to push a malicious PowerSheII script The VSA software, Which is typically used to remotely distribute software updates and cloud-based monitoring platforms for MSPs/customers, was weaponized.
The Analysis
REViI Will fingerprint the target machine and gather system information. Before beginning the encryption routine, REViI Will kill certain processes such as email clients, SQL or Other database servers, browsers, and Microsoft Office applications to ensure it can encrypt important files belonging to the victim
Business Impact
A universal decryptor that could be used to free all the victims—all the customers of Kaseya's customers—and save the attackers the bother of negotiating With each of up to 1,500 victims separately is being sold for USD 70 million in bitcoins as ransom
Like decryptor[.]cc and decryptor[.]top in previous REViI/SOdinokibi versions, decoder[.]re is used to grant the victims access to the threat actors WEB-site for further negotiations should their connection be limited via TOR. Decoder[.]re resolves to IP 82.14634.4 (AS2g182) belonging to a Russian ISP/cIoud hosting company.
CISA-FBI also issued guidance for MSPs and their Customers Affected by the Kaseya VSA Supply-Chain Ransomware Attack.
Implement allow the listing to limit communication With remote monitoring and management (RMM) capabilities to known IP address pairs, and/or place administrative interfaces of RMM behind a virtual private network (VPN) or a firewall on a dedicated administrative network.
Metmox's Approach to detection of REvil
As a part of threat detection and response services. we have proactively setup use cases/alert policies to detect the following:
- Registry Run Keys / Startup Folder New Startup Program Creation.
- Modifying the Services registry location Changes the autorun value in the registry.
- Alert if a process:
- Reads the computer name
- Checks supported languages
- Reads Environment values
- Changes intemet zones settings
- Manual execution of any executable/process by the user
- Renames names and extensions of the file
- Attempt to create a hardlink to a file
- Detection of encryption activity
- Windows Registry, Process monitoring Process command-line parameters.
Metmox’s Cybersecurity Practitioners, Professional Services (PS), and Security Specialists are available to help determine the next Steps beyond the guidance/guidelines for detection of REViI ransomware as briefed.
We provide recommendations, best practices, outcome-based solutions, and value-added tips on how to leverage our services as part of your threat detection and response as we get started.
We are ranked at #63 by MSSP Alert 2020 among the top 250 Cybersecurity companies of the world. Our Intelligence-Driven Expert-Led IDEAL Fusion SOC Platform Helps Security Analysts find the needle in the haystack through advanced threat detection and response. Contact us now for reduced security risk and improved security posture delivered to tight deadlines, stringent SLAS, unbeatable prices, 24x7 visibility, and LIMITED free MSS readiness assessment of your current SOC operations, Or visit our website to know What our clients say about us.