Kaseya VSA ransomware attack explained
On 2 July 2021, a number of managed service providers (MSPs) and their customers became victims of a ransomware attack perpetrated by the REvil group,[1] causing widespread downtime for over 1,000 companies.[2] [3] The attack was carried out by exploiting a vulnerability in VSA (Virtual System Administrator), a remote monitoring and management software package developed by Kaseya.[4] Two suspects were identified and one sentenced.[5] [6]
Timeline and impact
On March 23, DIVD researcher Wietse Boonstra found six zero-day vulnerabilities in Kaseya VSA (Virtual Systems Administrator).[7] The DIVD warned Kaseya and worked together with company experts to solve four of the seven reported vulnerabilities. Despite the efforts, Kaseya could not patch all the bugs in time.[8]
The DIVD wrote an KASEYA VSA, behind the scenes blog about finding the 0-days.
The source of the outbreak was identified within hours to be Kaseya's VSA software package.[1] An authentication bypass vulnerability in the software allowed attackers to compromise VSA and distribute a malicious payload through hosts managed by the software,[9] amplifying the reach of the attack.[10] In response, the company shut down its VSA cloud and SaaS servers and issued a security advisory to any customers, including those with on-premises deployments of VSA.[11] Initial reports of companies affected by the incident include Norwegian financial software developer Visma, who manages some systems for Swedish supermarket chain Coop.[12] The supermarket chain had to close down its 800 stores for almost a week, some in small villages without any other food shop. They did not pay ransom, but rebuilt their systems from scratch after waiting for an update from Kaseya.[13] The REvil ransomware gang officially took credit for the attack and claimed to have encrypted more than one million systems during the incident. They initially asked for a $70 million ransom payment to release a universal decryptor to unlock all affected systems.[14] On July 5, Kaseya said that between 800 and 1,500 downstream businesses were impacted in the attack.[15]
Marcus Hutchins criticized the assessment that the impact of the Kaseya attack was larger than WannaCry, citing difficulties in measuring the exact impact.[16]
After a 9 July 2021 phone call between United States president Joe Biden and Russian president Vladimir Putin, Biden told the press, "I made it very clear to him that the United States expects when a ransomware operation is coming from his soil even though it’s not sponsored by the state, we expect them to act if we give them enough information to act on who that is." Biden later added that the United States would take the group's servers down if Putin did not.[17] [18]
On 13 July 2021, REvil websites and other infrastructure vanished from the internet.[19]
On 5 July 2021, REvil announced that they would release a universal decryptor in exchange 70 million USD paid in Bitcoin.[20] On 23 July, Kaseya announced it had received a universal decryptor tool for the REvil-encrypted files from an unnamed "trusted third party" and was helping victims restore their files.[21]
On 8 October 2021, Ukrainian national Yaroslav Vasinskyi was arrested in Poland in connection with the ransomware attack, pending extradition to the United States.
On 8 November 2021, the United States Department of Justice unsealed indictments against Yaroslav Vasinskyi, who was still in Polish custody, and another suspect — Russian national Yevgeniy Polyanin. Vasinskyi was charged with conducting ransomware attacks against multiple victims including Kaseya, facing a maximum sentence of 115 years in prison.[22] Polyanin was charged with conducting ransomware attacks against multiple victims including Texas businesses and government entities, facing a maximum sentence of 145 years in prison.
On 3 March 2022, Yaroslav Vasinskyi was extradited to the United States and arraigned in Texas a few days later.
On 1 May 2024, Yaroslav Vasinskyi was sentenced to 13 years and seven months in prison and ordered to pay over $16 million in restitution for "his role in conducting over 2,500 ransomware attacks and demanding over $700 million in ransom payments".
As of 23 June 2024, Yevgeniy Polyanin was still wanted by the FBI and was believed to be living in Russia.[23]
Notes and References
- News: fr . 3 July 2021 . Une cyberattaque contre une société américaine menace une multitude d'entreprises . . live . https://web.archive.org/web/20211111092003/https://www.lemonde.fr/pixels/article/2021/07/03/une-cyberattaque-etendue-contre-une-entreprise-americaine-menace-une-multitude-d-entreprises_6086896_4408996.html . 11 November 2021.
- Lily Hay Newman . 2021-07-04 . How REvil Ransomware Took Out Thousands of Business at Once . live . . https://web.archive.org/web/20211110083212/https://www.wired.com/story/revil-ransomware-supply-chain-technique/ . 2021-11-10 . 2021-11-12.
- News: McMillan . Robert . 2021-07-04 . Ransomware Attack Affecting Likely Thousands of Targets Drags On . en-US . . 2021-07-07 . 0099-9660 . live . https://web.archive.org/web/20210928164532/https://www.wsj.com/articles/ransomware-group-behind-meat-supply-attack-threatens-hundreds-of-new-targets-11625285071 . 2021-09-28.
- Web site: Osborne . Charlie . 2021-07-23 . The Kaseya ransomware attack: Everything we know so far . 2021-11-12 . . en-US . live . https://web.archive.org/web/20210816092807/https://www.zdnet.com/article/updated-kaseya-ransomware-attack-faq-what-we-know-now/ . 2021-08-16.
- Web site: November 8, 2021 . Ukrainian Arrested and Charged with Ransomware Attack on Kaseya . live . https://web.archive.org/web/20211111153625/https://www.justice.gov/opa/pr/ukrainian-arrested-and-charged-ransomware-attack-kaseya . November 11, 2021 . November 12, 2021 . .
- Web site: 2024-05-01 . Sodinokibi/REvil Affiliate Sentenced for Role in $700M Ransomware Scheme . 2024-06-23 . Office of Public Affairs, United States Department of Justice . en.
- Web site: Boonstra . Wietse . Report DIVD-2021-00002 - KASEYA VSA . DIVD.
- The Unfixed Flaw at the Heart of REvil's Ransomware Spree . July 8, 2021 . . April 7, 2022.
- Web site: Hammond . John . Rapid Response: Mass MSP Ransomware Incident . 2021-07-24 . Huntress . en . live . https://web.archive.org/web/20211026120929/https://www.huntress.com/blog/rapid-response-kaseya-vsa-mass-msp-ransomware-incident . 2021-10-26.
- News: Gerrit De Vynck . Aaron Gregg . Rachel Lerman . Ransomware attack struck between 800 and 1,500 businesses, says company at center of hack—Kaseya's software touches hundreds of thousands of firms, but company says vast majority were unaffected . July 6, 2021 . . July 6, 2021.
- Web site: Giles . Martin . A New Wave Of Ransomware Has Been Sparked By A Cyberattack On Tech Provider Kaseya . . 3 July 2021 . live . https://web.archive.org/web/20210923062247/https://www.forbes.com/sites/martingiles/2021/07/03/ransomware-attacks-sparked-by-cyberattack-on-kaseya/ . 23 September 2021.
- News: Tidy . Joe . Swedish Coop supermarkets shut due to US ransomware cyber-attack . . 3 July 2021 . live . https://web.archive.org/web/20211005194143/https://www.bbc.com/news/technology-57707530 . 5 October 2021.
- News: Greig . Jonathan . July 26, 2021 . Kaseya denies paying ransom for decryptor, refuses comment on NDA . . https://web.archive.org/web/20211003205303/https://www.zdnet.com/article/kaseya-denies-paying-ransom-for-decryptor-refuses-comment-on-nda/ . October 3, 2021 . November 12, 2021.
- Web site: Tung . Liam . Kaseya ransomware attack: US launches investigation as gang demands giant $70 million payment . . 5 July 2021 . live . https://web.archive.org/web/20211009105238/https://www.zdnet.com/article/kaseya-ransomware-attack-us-launches-investigation-as-gang-demands-giant-70-million-payment/ . 9 October 2021.
- News: Satter . Raphael . Up to 1,500 businesses affected by ransomware attack, U.S. firm's CEO says . . 5 July 2021 . live . https://web.archive.org/web/20211111100411/https://www.reuters.com/technology/hackers-demand-70-million-liberate-data-held-by-companies-hit-mass-cyberattack-2021-07-05/ . 11 November 2021.
- Web site: Hutchins. Marcus. Twitter. 2021-07-13. Twitter. en. "The reason some people think REvil was bigger than WannaCry is because WannaCry was so big that nobody was ever able to quantify it. The best metrics we have is unique IP addresses, but companies have 10s, 100s, or 1000s of machines behind a single IP due to NAT.".
- Web site: Biden tells Putin Russia must crack down on cybercriminals. July 9, 2021. AP NEWS.
- News: Russia's most aggressive ransomware group disappeared. It's unclear who disabled them.. David E.. Sanger. The New York Times. July 13, 2021.
- Web site: Ransomware gang that hit meat supplier mysteriously vanishes from the internet. Brian Fung, Zachary Cohen and Geneva Sands, CNN. Business. CNN. July 13, 2021.
- News: 2021-07-05 . Gang behind huge cyber-attack demands $70m in Bitcoin . 2024-08-19 . en-GB.
- News: . Ransomware key to unlock customer data from REvil attack . . . July 23, 2021 . July 23, 2021.
- Web site: 2022-03-09 . Sodinokibi/REvil Ransomware Defendant Extradited to United States and Arraigned in Texas . 2024-06-23 . Office of Public Affairs, United States Department of Justice . en.
- Web site: 2024-06-23 . YEVGENIY IGOREVICH POLYANIN . 2024-06-23 . FBI.