This past month, there was one particular cyber security story that did not only attract the attention of professionals in the field, but made headlines in other prominent news publications as well. We are referring, of course, to the REvil ransomware. And while at the end of the day, it is "just" another ransomware attack, it is worth looking back to understand just what happened here in a matter of merely a few weeks.
Not a New Threat
Firstly, REvil is by no means a new and unknown ransomware strain, quite the opposite. First identified in early 2019, it since established itself as one of the most prolific examples of Ransomware as a Service (RaaS), supposedly making its operators $100 million in 2020 alone. At the link below, you can find a technical write-up from the early days of this operation. Notably, already back then one identified method of deploying the ransomware was by infecting managed service providers (MSP) – somewhat of a recurring theme, as we now know.
What Happened at Kaseya
As noted above, going after MSPs with both a broad base of customers as well as a deep reach into their networks is something that had been done before, so exactly how was the compromise of the Kaseya Virtual System Administrator (VSA) software different? There are at least a few answers to that question, including the explosive spread of the ransomware, the immense attention by media and global politics, and how quickly the whole incident was over (or at least how quickly effective mitigations were available).
The Kaseya timeline starts in April 2021 when Dutch security researchers identified a number of critical vulnerabilities in the VSA software allowing for, among others, an authentication bypass that ended up being instrumental for the distribution of REvil.
• July 2: First outbreaks are reported.
• July 5: Kaseya estimates up to 1,500 downstream businesses may be affected.
• July 9: US president Biden and Russian president Putin discuss the incident over the phone.
• July 13: REvil websites and further backend infrastructure go offline.
• July 23: Kaseya obtains a master decryption key, allowing its customers to recover their data.
This whole story unfolded in a matter of less than a month. And while it is great to see the appearance of the master key and Kaseya helping their customers to recover their data, it is clear that the damage has been done. Affected business operations were put out of service and data likely did not just get encrypted but also exfiltrated.
It is important to point out that similar incidents attacking key elements of the supply chain are bound to happen again. In fact, threat intelligence providers have already identified a new ransomware operation that exhibits certain similarities with REvil, suggesting the group behind it did not close shop for good.
Protecting Cyber Supply Chains
Previously on Cybersecurity Magazine, we talked to Prof. Ahmed Banafa about the dangers to supply chains, specifically in the context of Internet of Things, and how to prepare better for upcoming threats.
Cybersecurity Magazine Editorial Team
For our latest video discussions and podcasts please see the River Publishers YouTube.
The latest journal articles from River Publishers in all areas of cyber security can be found on the River Publishers website.