For ransom up to $ 70 million, how is the world’s largest Ransomware attack performed by the REvil hacker group?

A huge chain of transmission last Friday infected at least hundreds, even thousands of businesses around the world with ransomware. Among them are the railway operator, drugstore chains and hundreds of stores under the Swedish brand Coop. The total amount of ransom demanded by this group is up to 70 million USD (more than 1,611 billion VND). This is considered the world’s largest ransomware attack ever.

Conducted by the notorious REvil crime gang based in Russia, the attack was a deadly combination of ransomware and supply chain systems.

Cybersecurity experts are beginning to understand how hackers were able to launch such a large-scale attack.

It all started with a vulnerability discovered and about to be patched in the process of updating IT services of Kaseya, an American company that develops software to manage devices and enterprise networks. The company then sells those tools to other companies called “managed service providers” (MSPs).

By “seeding” ransomware through Kaseya’s trusted delivery mechanism, attackers were able to infect Kaseya’s network infrastructure in MSPs and then create a domino effect when those MSPs unknowingly distribute malware to their customers.

“It is worrisome that REvil used trusted apps to access the targets , ” said Sean Gallagher, a senior security researcher at Sophos . Usually, ransomware actors need multiple vulnerabilities at different stages to do so, or spend time on the network to detect the admin password. This is a step above normal ransomware attacks.”

Simply put, System Administrator / Virtual Server (VSA) permissions, Kasaya’s security system managed by MSP, was compromised and malicious updates were sent to the clients. Currently, it is not known whether the attackers have access to all of Kaseya’s central systems and vulnerabilities.

They exploited individual VSA servers managed by the MSP and pushed malicious “updates” from there to MSP customers. REvil seems to have tailored their ransom demands — and even some of their attack techniques — based on the goal, rather than taking the same approach for all.

Unfortunately, the time of the attack was also when security researchers had just identified a fundamental vulnerability in the Kaseya update system. Wietse Boonstra of the Netherlands Vulnerability Institute worked with Kaseya to develop and test patches for this vulnerability. Fixes were almost released, but had not yet been implemented by the time REvil came out.

“We did our best and Kaseya did their best,” said Victor Gevers, a researcher from the Netherlands Institute for Vulnerability Research . I think it’s an easy flaw to find. This is most likely the reason the attackers won the final sprint.”

Hackers also attacked Windows-based VSA applications. VSA’s “working directories,” which often act as a trusted walled “garden” inside those machines, mean that security scanning engines are taught to ignore anything. they are doing, providing a cover to hide the threat. The software will then run a series of commands to hide malicious activity from Microsoft Defender.

In the end, the virus caused the Kesaya updater to launch a legitimate version of Microsoft Anti-Malware Service, which was, however, an outdated, outdated version. Once infiltrated, the malware proceeds to encrypt the data on the device. Moreover, it makes it difficult for victims to get their information back from backups so hackers can demand ransom.

Gevers says that in the past two days, the number of VSA servers that are open to the Internet has dropped from 2,200 to less than 140, as MSPs try to follow Kesaya’s advice and take them offline.

Kaseya has provided updates and assured users that it is working on a recovery plan.

As for why REvil has continued to ramp up its tactics in such a wild way after attracting so much attention, the researchers say it’s important to remember its business model. REvil. They do not operate alone but license the ransomware to a network of other affiliates, run their own operations and then simply split a portion of the profits to REvil.

“It’s misleading to think of this as just about REvil — it’s a federated agent over which the REvil team will have limited control,” said Brett Callow, a security threat analyst at the antivirus company. Emsisoft said. He does not expect this situation to stop anytime soon. “How much money is too much?”

Reference: Wired