How StreamScan Protects Against Kaseya Type Ransomware Attack ?
The threat
On the night of July 2, 2021, at 2:00 a.m., Kaseya announced that it had suffered a ransomware attack targeting its VSA technology. VSA is a popular computer network management technology used by organisations and IT outsourcing service providers worldwide.
It’s no coincidence that the attack occurred over the 4th of July weekend, a long weekend US. This gave the hackers time to propagate the attack and increase the number of organisations it could infect. The bigger the impact, the higher the ransom the hackers can demand. On July 5, 2021, Kaseya reported that between 800 and 1,500 organisations had potentially been affected.
Reaction from Kaseya
Following first detection, Kaseya, with a specialised incident response firm and the support of U.S. authorities (FBI, CISA, etc.), launched its investigations and, to contain the infection, recommended the shutdown of all VSA instances in production. Organisations using VSA were notified, and Kaseya set up a web page to track the investigation.
The attackers exploited zero-day vulnerabilities in the VSA tool to bypass authentication and execute malicious commands, which allowed the ransomware to be deployed on servers and machines on the networks of organisations using VSA.
Investigations quickly identified the ransomware's indicators of compromise (IOCs), which allowed Kaseya to develop an analysis tool to identify networks compromised by the ransomware. The tool can be downloaded here: https://kaseya.app.box.com/s/0ysvgss7w48nxh8k1xt7fqhbcjxhas40
In parallel, Kaseya developed a patch that it made available a few days later.
The attack was attributed to the REVIL group, who made an initial ransom demand of US$70 million to decrypt the data of all impacted organisations. It was taken down quickly. On July 23 2021, Kaseya made a universal ransomware decryptor available to allow impacted organisations to decrypt their data. Though organisations could decrypt their machines, the impacts in extra cost and lost productivity were immense.
What Can We Learn from this Attack?
This attack, like the SolarWinds attack in 2020, shows a paradigm shift in ransomware. There is a clear shift towards large-scale targeted attacks for the most structured groups to collect large amounts of ransom money quickly, even if this puts them on the radar for authorities. This includes supply chain attacks, especially on software used widely in organisations. Therefore, it is essential for organisations today to take this risk into account, and it will increase in the future.
Less structured groups or those with limited resources continue to carry out random attacks, hoping to find victims who will agree to pay a ransom. Ransom payment, which is still taboo, remains paradoxically the lever that allows hackers to structure themselves better, launch larger attacks and make more victims.
How did Streamscan Protect its Partners?
Once the attack was reported, as if our standard operating procedure, Streamscan set up a crisis management team to monitor the progress of Kaseya’s investigation over the July 4th long weekend and the following days. We alerted our customers immediately and ensured that recommended containment measures were implemented asap across all the networks we monitor.
Our Managed Detection and Response (MDR) team increased the monitoring levels across all networks. Our threat hunters scanned the networks for any suspicious movement or signals related to the attack.
As soon as the Indicators of Compromise (IOCs) were known, we added them to our Cyberthreat Detection (CDS) technology, which allowed us to optimise monitoring of inbound/outbound traffic to the Command and Control (C&C) units involved in the distribution of this ransomware. The IOC list can be found here.
At the same time we have gained access to copies of the malware involved in the attack whose SHA-256 hashes are:
- 33bc14d231a4afaa18f06513766d5f69d8b88f1e697cd127d24fb4b72ad44c7a
- 8dd620d9aeb35960bb766458c8890ede987c33d239cf730f93fe49d90ae759dd
- D55f983c994caa160ec63a59f6b4250fe67fb3e8c43a388aec60a4a6978e9f1e
We analysed these files in our reverse engineering lab and concluded that the ransomware belongs to the Sodinokibi family, which isn’t new to us. In fact, our incident response team has helped several organisations recover from this ransomware over the past few years.
We evaluated the ability of our CDS to detect this variant of Sodinokibi. Even before this incident, our CDS technology had already detected several ML/AI behavioural models for Sodinokini as well as detection signatures. During the evaluation, several security events were generated by CDS related to the execution of the current variant of the Sodinokibi ransomware. This allowed us to confirm its ability to detect this ransomware, which remains one of the most active and aggressive since 2020.
We also extracted additional behavioural detection patterns from the network and host IOCs that we input into our CDS.
Our MDR centre maintains its vigilance. Organisations that have acquired the StreamScan CDS and manage it themselves are also protected.
How Does StreamScan’s MDR Provide Fast, Effective Defence Against Malware?
- We establish a crisis unit to ensure clients aren’t at risk
- We accelerate the deployment of countermeasures for our partners
- Our expertise in reverse engineering malware and intrusion detection lets us quickly identify the problem and create detection models to protect our clients.
- Using our own CDS, we are able to respond much more quickly than MDR providers using third-party software.
- We keep our customers updated on developments, and we make recommendations that go beyond basic responses to help you secure your network going forward.
Find out how our CDS and MDR service can keep your network safe
We're confident that you won't want to leave your network unprotected after seeing the results of our monitoring. That's why we offer a free 30-day evaluation that includes:
- An information session
- Configuration of the CDS in your network
- Free 30-day evaluation and proof of value
Get in touch with us to start your trial at smbsecurity@streamscan.ai or call us at 1 877-208-9040.