A massive supply-chain ransomware attack targeting managed service providers (MSPs) who use the Kaseya Virtual System Administrator (VSA) has left data at more than 1,000 companies encrypted and the attackers demanding $70 million in ransom.

The attack—which the REvil ransomware group launched on July 2, just before the US holiday weekend—exploited multiple vulnerabilities, including a zero-day flaw that was in the process of remediation, according to security firms. REvil, a ransomware-as-a-service group, claims that more than a million systems were compromised and encrypted, and posted a ransomware demand to its blog on Sunday, July 4, saying if it receives the $70 million ransom payment, it will publicly publish the decryptor.

The attack underscores the danger that weaknesses in  business supply chains pose to companies, Adam Meyers, senior vice president of CrowdStrike Intelligence, said in a July 3 statement sent to Dark Reading. 

"Make no mistake, the timing and target of this attack are no coincidence," he said. "It illustrates what we define as a Big Game Hunting attack, launched against a target to maximize impact and profit through a supply chain during a holiday weekend when business defenses are down. What we are seeing now in terms of victims is likely just the tip of the iceberg."

Kaseya and other remote monitoring and management (RMM) providers are ideal targets for attacks, because the software is used by managed service providers and any compromise not only encrypts systems at those firms, but also at their clients' businesses. 

Estimates of the number of victims varied between about 30 managed service providers, according to Huntress Labs, and "fewer than 60 Kaseya customers," according to Kaseya. Yet, the actual impact is much broader, with Huntress Labs estimating more than 1,000 business have been affected, and Kaseya estimating "fewer than 1,500 downstream businesses."

Security firm Kaspersky has detected more than 5,000 attack attempts spread out over 22 countries, the company stated. While the company does not explicitly define "attack attempt," the statistic likely represents attempts to install one of the components of the ransomware at already-compromised businesses as part of the attack chain. Italy topped the list of nations, accounting for more than 45% of attempted ransomware attacks associated with the Kaseya operation, with the United States and Columbia taking the next two positions with about 26% and 15% of the share, respectively.

Kaseya warned MSPs to shut down its software until further notice. 

"All on-premises VSA Servers should continue to remain offline until further instructions from Kaseya about when it is safe to restore operations," Kaseya stated in its latest advisory on the issues. "A patch will be required to be installed prior to restarting the VSA and a set of recommendations on how to increase your security posture. We have been advised by our outside experts, that customers who experienced ransomware and receive communication from the attackers should not click on any links – they may be weaponized."

The US Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA) released guidance for companies, including ensuring backups are up-to-date and moving them to an easily retrievable, off-site location unconnected to the network. In addition, companies should go back to a manual patch management process to shore up defenses, CISA stated. The agency linked to the Kaseya VSA Detection Tool, urging affected MSPs to use the tool to check their systems for signs of the attack.

"CISA and FBI recommend MSP customers affected by this attack take immediate action to implement the following cybersecurity best practices," the advisory stated. "Note: these actions are especially important for MSP customer who do not currently have their RMM service running due to the Kaseya attack."

The attack most likely made use of a zero-day vulnerability in Internet-facing Kaseya VSA servers that many managed service providers installed on premise, according to cybersecurity firm Sophos. This, in turn, gave the attackers access to the systems of the MSPs' clients.

"As Kaseya is primarily used by Managed Service Providers (MSPs) this approach gave the attackers privileged access to the devices of the MSP’s customers," the company said. "Some of the functionality of a VSA Server is the deployment of software and automation of IT tasks. As such, it has a high level of trust on customer devices."

While the investigation into the incident and response to the widespread attack are ongoing, the Dutch Institute for Vulnerability Disclosure (DIVD) has reported that the number of suspected Kaseya VSA instances accessible from the Internet has plummeted from over 2,200 to 140. The DIVD also revealed that a researcher associated with the group, Wietse Boonstra, had "previously identified a number of the zero-day vulnerabilities [CVE-2021-30116] which are currently being used in the ransomware attacks."

DIVD supported Kaseya's response to the attack, saying that the company responded quickly to their disclosure and worked diligently to produce a patch. 

"During the entire process, Kaseya has shown that they were willing to put in the maximum effort and initiative into this case both to get this issue fixed and their customers patched," the group stated in its latest update. "They showed a genuine commitment to do the right thing. Unfortunately, we were beaten by REvil in the final sprint, as they could exploit the vulnerabilities before customers could even patch."

Holiday Hack

The attack coincided with US Independence Day, a long weekend, leaving many companies scrambling. A number of other major attacks have been attributed to REvil, also known as Sodinokibi, such as the attack on JBS USA Holdings, which paid an estimated $11 million to recover its data and systems. In addition, the US government blamed REvil for the attack on local governments and agencies in the state of Texas almost two years ago, which also appears to have involved at least one managed service provider.

Such attacks will continue as long as supply-chain vulnerabilities are easy to exploit, CrowdStrike's Meyers said. 

"The continued success of large software supply chain attacks provides an ominous outlook for organizations of all sizes as threat actors observe how profitable and wide ranging they can be," he said. "Organizations must understand that these headlines are no longer warnings, but are a reality of what is in their future if they have not established a mature cybersecurity strategy."