REvil ransomware rampages following Kaseya supply-chain attack

Graham Cluley
@gcluley

REvil ransomware rampages following Kaseya supply-chain attack

What’s happened?

Hundreds – if not thousands – of companies have been hit by a huge supply-chain ransomware attack that struck on Friday July 2nd, just as companies in the United States were closing down for the Independence Day holiday weekend.

What makes the attack unusual?

Normally a ransomware attack might impact one organisation. In this attack, however, it appears many many companies were hit virtually simultaneously – following the hack of servers belonging to an IT service company called Kaseya – via a poisoned automatic update.

So if my organisation isn’t a customer of Kaseya then we’re safe?

No, not necessarily.

Kaseya’s software is often used by managed service providers (MSPs) to manage clients’ systems. If your corporation relies upon services from an affected MSP then you may also find that your data has been encrypted by the ransomware attack.

Ouch. So how many organisations have been hit?

That is uncertain.

On Sunday night, Kaseya said that it believed the attack had “been localized to a very small number of on-premises  customers only.”

Of course, it’s hard to know what Kaseya means by “very small.” The company’s website claims that it has 40,000 customers.

And it’s worth bearing in mind that Kaseya’s figure may not take into account companies using the technology via MSPs.

Sign up to our newsletter
Security news, advice, and tips.

Security experts at Huntress have estimated that “well over 1,000 businesses” have had their data encrypted.

Meanwhile, the REvil ransomware gang that is responsible for the attack claims on its website that “more than a million systems were infected.” They may, of course, be counting the number of infected PCs rather than the number of impacted organisations. They may also, of course, be lying.

What we do know for certain is that some companies have been hit hard. For instance, Swedish supermarket chain Coop has shut approximately 500 of its stores, as its cash registers do not work.

This sounds pretty bad. How did the hackers manage to breach Kaseya in the first place?

The attackers exploited a zero-day vulnerability in Kaseya VSA, technology which is supposed to help businesses monitor and manage their computer networks and automate software patching. The REvil gang were able to exploit the security hole to push out a bogus software update that installed the ransomware, and encrypted data.

In addition the attack shut administrators out of Kaseya VSA, and attempted to disable security products from a number of vendors.

They seem to have thought of everything.

Which is more than can be said for Kaseya, which told users to configure their security software to exclude folders used by Kaseya and treat Kaseya’s apps as “trusted.”

In retrospect that perhaps wasn’t such a wise idea…

Why has the REvil gang done this?

The usual reason: money. Victims are being told to pay a ransom for a tool to decrypt their data.

According to reports, REvil has been demanding $45,000 to decrypt each infected PC, or $5 million for an entire domain.

In addition, the REvil ransomware gang is offering to make publicly available a decryption tool that will “decrypt files of all victims” for the princely sum of $70 million worth of Bitcoin.

It seems they might be prepared to haggle on the price, however, judging by the conversations some have had with the group…

Is this the biggest ransomware attack of all time?

Quite possibly.

Where can I learn more?

Anything else?

Check out this episode of the “Smashing Security” podcast where I discuss REvil and the Kaseya ransomware attack in greater detail:

Smashing Security #235: 'REvil returns, TikTok grows, and Gettr defaced'

Your browser does not support this audio element. https://aphid.fireside.fm/d/1437767933/dd3252a8-95c3-41f8-a8a0-9d5d2f9e0bc6/da5f537f-b3ee-4944-bb0f-b0e1b357a027.mp3

Listen on Apple Podcasts | Google Podcasts | Pocket Casts | Spotify | Other... | RSS
More episodes...

Found this article interesting? Follow Graham Cluley on Twitter to read more of the exclusive content we post.


Graham Cluley is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s when he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows. Now an independent security analyst, he regularly makes media appearances and is an international public speaker on the topic of computer security, hackers, and online privacy. Follow him on Twitter at @gcluley, or drop him an email.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.