The notorious REvil ransomware gang, also known as Sodinokibi, is once again in news for another massive attack. A few days ago, it made headlines due to its new Linux variant targeting ESXi Virtual Machines. This time, the gang has targeted several Managed Service Providers (MSPs) via a supply chain attack that impacted thousands of businesses globally.

The scoop

REvil gang has targeted eight large MSPs that are known to be using the popular unified remote monitoring and management solution Kaseya VSA.
  • This attack on MSPs has impacted at least 3 Huntress partners and more than 1,000 businesses, whose data has been encrypted.
  • The attack was carried out by exploiting a vulnerability in Kaseya VSA. The attackers compromised and manipulated the patch distribution process, in which they were seen dropping a file named agent.crt, being distributed as 'Kaseya VSA Agent Hot-fix.' 
  • This agent.crt file is decoded via Windows certutil.exe utility, which is executed using a PowerShell command. This extracts an agent.exe file, which includes embedded 'MsMpEng.exe' (an older version of the legitimate Microsoft Defender executable used as a LOLBin) and 'mpsvc.dll' (the REvil encryptor).
  • According to one of the samples, the ransomware gang demanded a $5,000,000 ransom to receive a decryptor and some of the affected MSP customers received a much smaller $44,999 ransom demand.
  • Now, REvil has demanded $70 million in Bitcoin for a decryptor tool to allows all affected businesses to recover their files. This makes it the highest ransom demand to date.

Other recent incidents

REvil gang has been actively targeting various business organizations in recent times.
  • A few days ago, the University Medical Center of Southern Nevada was targeted by the REvil gang, when they added the medical center to their “Happy Blog” dark web leak site.
  • The France-based fashion retail giant French Connection (aka FCUK) was attacked, affecting its backend servers, impacting some of its private internal data.
  • Brazilian medical diagnostic company Grupo Fleury, the U.S.-based renewable energy company Invenergy LLC, and the U.S. Nuclear Weapons Contractor Sol Oriens have all been targeted by REvil in the past few weeks.

Conclusion

Attack on MSPs can provide easy access to a large number of associated companies. Therefore, by targeting MSPs, REvil has taken a giant leap, with an aim to grow its financial gains and impact. This incident once again rings the warning bells for supply chain risks faced by enterprises globally.

Cyware Publisher

Publisher

Cyware