REvil’s New Supply Chain Attack Takes Down 1,000s of Businesses

The scoop

• This attack on MSPs has impacted at least 3 Huntress partners and more than 1,000 businesses, whose data has been encrypted.
• The attack was carried out by exploiting a vulnerability in Kaseya VSA. The attackers compromised and manipulated the patch distribution process, in which they were seen dropping a file named agent.crt, being distributed as 'Kaseya VSA Agent Hot-fix.' 
• This agent.crt file is decoded via Windows certutil.exe utility, which is executed using a PowerShell command. This extracts an agent.exe file, which includes embedded 'MsMpEng.exe' (an older version of the legitimate Microsoft Defender executable used as a LOLBin) and 'mpsvc.dll' (the REvil encryptor).
• According to one of the samples, the ransomware gang demanded a $5,000,000 ransom to receive a decryptor and some of the affected MSP customers received a much smaller $44,999 ransom demand.
• Now, REvil has demanded $70 million in Bitcoin for a decryptor tool to allows all affected businesses to recover their files. This makes it the highest ransom demand to date.

Other recent incidents

• A few days ago, the University Medical Center of Southern Nevada was targeted by the REvil gang, when they added the medical center to their “Happy Blog” dark web leak site.
• The France-based fashion retail giant French Connection (aka FCUK) was attacked, affecting its backend servers, impacting some of its private internal data.
• Brazilian medical diagnostic company Grupo Fleury, the U.S.-based renewable energy company Invenergy LLC, and the U.S. Nuclear Weapons Contractor Sol Oriens have all been targeted by REvil in the past few weeks.

Conclusion