The REvil Cyber Attack and its impact on businesses worldwide: A case study

BY
Kiran Vangaveti
.
July 12, 2021

The single biggest ransomware attack in human history just happened: it was no coincidence that the REvil ransomware cyberattack was perpetrated just before the July 4th weekend when a lot of staff would be on leave.

The REvil group, also known as the Sodinokibi ransomware gang piggybacked on the platforms belonging to Managed Service Providers (MSPs), particularly Kaseya, to attack the systems of their multiple clients.

How did this come to be? What lessons can we learn from this attack? Most importantly, how do we protect ourselves from such scenarios which are less inevitable, and more common, today?

This article is a guide for Cybersecurity service providers, organizations, and CISOs, all of whom share the collective burden of ensuring that the next war isn’t waged in the virtual world.

The context, and what we know so far

MSPs provide remote IT services such as system management and updates, network management, backups, etc. and due to the nature of the service, have administrative privileges to company networks across the globe.

The REvil ransomware was likely embedded into a Kaseya update and used the administrative privileges of the platform to infect systems across 22 countries. About 40 MSPs appear to have been targeted. The attack seems to be of Russian origin. However, the small and medium business customers downstream that depend on the services of the MSPs risk being impacted. The number of businesses whose data has been encrypted could possibly run into thousands and this is very much an attack in progress.

According to Kaseya, the attack was limited to their “on-premise” customers, i.e. the organizations that ran their own data centers. In general, several small businesses like architecture firms, plastic surgery centers, dental practices, or libraries seem to have been affected.

Supply chains have also been impacted by this attack. For example, 800 chain stores in Sweden of the company Coop were unable to access their cash registers and had to resort to temporary closures.

Although Kaseya’s cloud-based services that run customer software seem to have been spared, as a precaution, it has also shut down those servers and asked customers to shut down their VSA servers stat. A patch should be made available in the next few days.

Kaseya has also advised their customers to refrain from clicking any links in any communication they may receive that claims to come from the attackers, as they may be weaponized.

Modus Operandi

REvil’s attack chain / execution chain is as below:

  1. Attacker executes a powershell command on the victim machine which attempts to turn off Windows Defender.
  2. Renames Certutil.exe to cert.exe. This is done to evade detection as most EDRs look for certutil execution.
  3. Used Kaseya Agent Monitor to download a base64 encoded file called “Agent.crt”.
  4. Decodes Agent.crt using cert.exe (renamed certutil.exe) command.
  5. Agent.exe is executed which in turn downloads two files MSPMPENG.exe and MPSVC.dll. This MSPMPENG.exe is a genuine but old vulnerable version of Windows Defender.
  6. The vulnerable version of MSPMPENG.exe is launched and MPSVC.dll is side-loaded. Post loading of MPSVC.dll, the DLL hijacks the execution flow of Windows Defender and starts encrypting files on local disk, mapped drives and any removable devices connected.

BluSapphire’s proprietary tool stack successfully detects the following in the REvil attack chain.

REvil Attack Chain

PowerShell command attempts to stop Windows Defender Detected Critical Alert
Renamed CERTUTIL.EXE decodes AGENT.EXE from AGENT.CRT Detected Critical Alert
AGENT.EXE is executed, drops MSMPENG.EXE and MPSVC.DLL into C:\Windows Detected No Alert Needed
MSMPENG.EXE is executed and side-loads the REvil DLL Detected No Alert Needed
Files are encrypted, ransom note createds Detected and Stopped Critical Alert
Netsh.exe turns on network discovery Detected High Alert

As a result, this attack has not been successfully executed in any BluSapphire Elite customer environment.

REvil “ransomware as a service,” or RaaS, has been touted on the dark web and underground forums for at least three years. In other words, it develops the software and leases it to partners who use it to infect targets in exchange for ransom.

The perpetrators are believed to have netted over $100 million from their 2020 exploits alone. A majority of ransomware victims do not report attacks or make it public whether they have paid the ransom.

What it means for companies: Future outlook

“IT interdependence” makes such attacks possible, because rarely does any organization operate in isolation with regards to its IT and infrastructure setup. A shared dependency is inevitable, thanks to shared core technologies, internet systems, vendors, suppliers, and so on.

What we need to also be aware of about the REvil attack is the fact that attackers used harmless software and tools to execute the attack- the same tools that we use every single day to run company operations. This just goes to show that the world wide web is indeed just that, and every attack at any point can have ramifications that go far beyond the immediate damage alone.

As we have seen, small businesses that do not often have the right tools in place to protect their system and network environments are the ones most likely to be hit hardest. The only way to truly prevent these attacks is to secure every network and endpoint in a manner that is seamless.

In the meantime, to keep your organization safe against ransomware 2.0 attacks, we recommend:

  • Never exposing remote desktop services (such as RDP) to any public networks and always setting complex, powerful passwords for protection.
  • Wasting no time in installing all available patches for the commercial VPN solutions that are set up to provide access for remote employees, plus those that act as “gateways” to your network.
  • Keeping software updated on all the devices, on-site, as well as those used by employees.
  • Building a defense strategy around detecting any lateral movements. Paying particular attention to outgoing traffic, i.e., data exfiltration to the internet.
  • Backing up data regularly to a secure location that is set up for quick access in a contingency situation.
  • Because attackers most commonly use DNS in their communications with malicious domains, it is important to have DNS security to help block such communications. You also gain visibility into the activity of impacted equipment, which can prove vitally useful in helping customers gauge the scope of the data breach they have been subjected to. This is helpful in mounting a suitable response.

Impact on the individual

Every cyberattack is a reminder to the common man of just how vulnerable their data can be, and to be aware of just what they click on or download. It is imperative to adopt more secure practices as an individual as well as an organization.

Saving data securely to the cloud, having a backup, and instructing every family member who has a device to be careful of what they click or download, or how to recognize a phishing gambit.

If you suddenly encounter order cancellations for no reason or get automated responses that the company is “currently updating their systems,” they may have been among those affected by the attack.

As basic hygiene, we also recommend not reusing passwords on two websites and ensuring that you set and maintain complex passwords for all of your accounts, particularly those that have payment methods attached to them.

Upcoming contingency measures: Latest updates on what you can do

Restoration processes of Kaseya were scheduled to commence around July 6, and lead with data centers in the EU, followed by UK and APAC, and finally North America, however, the timeline has hit a snag.

According to the latest update on the matter, the SaaS systems rollout may happen around the evening of July 8th. A playbook will also soon be published by Kaseya, providing impacted businesses with guidelines to deploy the VSA patch.

In addition, Kaseya has provided a tool that includes the IoC, or Indicators of Compromise. It contains two PowerShell scripts: one that can be used on a VSA server and the other for endpoint scanning. However, these are diagnostic tools and not security fixes or patches. They can only be used to scan for potential risks and vulnerabilities in the system.

If you suspect that you have been attacked during this period, or just wish to run a process to ensure that you are safe, please reach out to us for quick remediation.

We are available on info@blusapphire.net, and on social media channels such as LinkedIn and Twitter.