A massive chain reaction on Friday infected at least hundreds and likely thousands of businesses worldwide with ransomware, including a railway, pharmacy chain, and hundreds of storefronts of Sweden’s Coop grocery store brand. Carried out by the notorious Russia-based REvil criminal gang, the attack is a watershed moment, a combination of ransomware and a so-called supply chain attack. Now, it’s becoming more clear how exactly they pulled it off.
Some details were known as early as Friday afternoon. To propagate its ransomware out to an untold number of targets, the attackers found a vulnerability in the update mechanism used by the IT services company Kaseya. The firm develops software used to manage business networks and devices, and then sells those tools to other companies called “managed service providers.” MSPs, in turn, contract with small and medium businesses or any institution that doesn’t want to manage its IT infrastructure itself. By seeding its ransomware using Kaseya’s trusted distribution mechanism, attackers could infect MSP’s Kaseya infrastructure and then watch the dominos fall as those MSPs inadvertently distributed malware to their customers.
But by Sunday, security researchers had pieced together critical details about how the attackers both obtained and took advantage of that initial foothold.
“What’s interesting about this and concerning is that REvil used trusted applications in every instance to get access to targets. Usually ransomware actors need multiple vulnerabilities at different stages to do that or time on the network to uncover administrator passwords,” says Sophos senior threat researcher Sean Gallagher. Sophos published new findings related to the attack on Sunday. “This is a step above what ransomware attacks usually look like.”
The attack hinged on exploiting an initial vulnerability in Kaseya’s automated update system for its remote monitoring and management system known as VSA. It’s still unclear whether attackers exploited the vulnerability all the way up the chain in Kaseya’s own central systems. What seems more likely is that they exploited individual VSA servers managed by MSPs and pushed the malicious “updates” out from there to MSP customers. REvil appears to have tailored the ransom demands—and even some of their attack techniques—based on the target, rather than taking a one-size-fits-all approach.
The timing of the attack was especially unfortunate because security researchers had already identified the underlying vulnerability in the Kaseya update system. Wietse Boonstra of the Dutch Institute for Vulnerability Disclosure was working with Kaseya to develop and test patches for the flaw. The fixes were close to being released, but hadn’t yet been deployed by the time REvil struck.
“We did our best and Kaseya did their best,” says Victor Gevers, a researcher from the Dutch Institute for Vulnerability Disclosure. “It is an easy-to-find vulnerability, I think. This is most likely the reason why the attackers won the end sprint.”
Attackers exploited the vulnerability to distribute a malicious payload to vulnerable VSA servers. But that meant they also hit, by extension, the VSA agent applications running on the Windows devices of the customers of those MSPs. VSA “working folders” typically operate as a trusted walled garden within those machines, which means malware scanners and other security tools are instructed to ignore whatever they’re doing—providing valuable cover to the hackers who had compromised them.
Once deposited, the malware then ran a series of commands to hide the malicious activity from Microsoft Defender, the malware-scanning tool built into Windows. Finally, the malware instructed the Kesaya update process to run a legitimate but outdated and expired version of Microsoft’s “Antimalware Service,” a component of Windows Defender. Attackers can manipulate this outmoded version to “sideload” malicious code, sneaking it past Windows Defender the way Luke Skywalker can sneak past Stormtroopers if he’s wearing their armor. From there, the malware began encrypting files on the victim’s machine. It even took steps to make it harder for victims to recover from data backups.
Gevers says that in the last two days the number of VSA servers accessible on the open internet has dropped from 2,200 to less than 140, as MSPs scramble to follow Kesaya’s advice and take them offline.
“Although the scale of this incident may make it so that we are unable to respond to each victim individually, all information we receive will be useful in countering this threat,” the FBI said in a statement on Sunday.
No End in Sight
Kaseya has been releasing regular updates. “Our efforts have shifted from root cause analysis and mitigating the vulnerability to beginning the execution of our service recovery plan,” the company said on Sunday afternoon. The company had still not reinstated its cloud-based service—seemingly unaffected by the attack—as of Sunday evening.
Organizations often contract with MSPs because they know that they don’t have the expertise or resources to oversee their networks and infrastructure themselves. The risk, though, is that trusted service providers themselves could then be targeted and endanger all of their customers downstream.
“For smaller or insufficiently resourced organizations it sometimes makes sense to offload the heavy lifting to the experts,” says Kenneth White, founder of the Open Crypto Audit Project. “But that trust brings with it an obligation to have the most stringent defenses and detection possible by the service provider, because they control the crown jewels, literally the keys to the kingdom. It’s breathtaking, really.”
As to why REvil attackers would continue escalating their tactics in such a dramatic way after calling so much attention to themselves with recent high profile incidents like hitting the global meat supplier JBS, researchers say it’s important to remember REvil’s business model. The actors don’t work alone, but license their ransomware to a network of affiliates who run their own operations and then simply give REvil a cut.
“It’s a mistake to think of this in terms of REvil alone—it’s an affiliate actor over which the core REvil team will have limited control,” says Brett Callow, a threat analyst at the antivirus firm Emsisoft. He’s not optimistic that the escalations will stop any time soon. “How much money is too much?”
More Great WIRED Stories
- 📩 The latest on tech, science, and more: Get our newsletters!
- How fringe stem cell treatments won far-right allies
- The race to put silk in nearly everything
- How to keep your browser extensions safe
- Oregon’s buckled roads are warning signs
- Do EMF blockers actually protect you? We asked experts
- 👁️ Explore AI like never before with our new database
- 🎮 WIRED Games: Get the latest tips, reviews, and more
- 🏃🏽♀️ Want the best tools to get healthy? Check out our Gear team’s picks for the best fitness trackers, running gear (including shoes and socks), and best headphones