How REvil ransomware handles thousands of businesses at the same time

Huge chain Friday reaction Ransomware has infected at least hundreds or even thousands of companies worldwide, Including hundreds of stores of the railway, pharmacy chain and Swedish Coop grocery store brand. Carried out by the notorious Russian REvil criminal group, this attack is a watershed. Ransomware And a so-called Supply chain attack. Now, it is becoming more and more clear how they did it.

Some details were known as early as Friday afternoon. In order to spread its ransomware to countless targets, the attackers discovered a loophole in the update mechanism used by IT services company Kaseya. The company develops software to manage business networks and equipment, and then sells these tools to other companies called “managed service providers.” In turn, MSP signs contracts with small and medium-sized enterprises or any organization that does not want to manage their IT infrastructure on their own. By seeding its ransomware using Kaseya’s trusted distribution mechanism, an attacker can infect MSP’s Kaseya infrastructure and then watch the dominoes fall when these MSPs unintentionally distribute malware to their customers.

But by Sunday, security researchers had pieced together key details about how the attackers obtained and used the initial foothold.

“Interestingly, REvil uses trusted applications to access targets in each instance. Usually, ransomware attackers need multiple vulnerabilities at different stages to do this, or they need time on the network to do this. The administrator password was discovered,” said Sean Gallagher, Sophos Senior Threat Researcher. Sophos release New discovery Related to Sunday’s attack. “This is one step higher than what a ransomware attack usually looks like.”

Trust practice

The key to this attack is to use an initial vulnerability in the Kaseya automatic update system for its remote monitoring and management system called VSA. It is not clear whether the attacker has been exploiting the vulnerability in Kaseya’s own central system. More likely, they use a single VSA server managed by MSP and push malicious “updates” from there to MSP customers. REvil seems to have tailored the ransom requirement based on the target-even some of their attack techniques, rather than taking a one-size-fits-all approach.

The timing of this attack is particularly regrettable, as security researchers have identified potential vulnerabilities in Kaseya’s update system.Wietse Boonstra of the Netherlands Vulnerability and Disclosure Institute is working with Kaseya to develop and test the patch defectThe fix will be released soon, but it has not been deployed when the REvil occurs.

“We did our best, and Kaseya did our best,” said Victor Gevers, a researcher at the Netherlands Institute of Vulnerability and Disclosure. “I think this is a loophole that is easy to find. This is probably why the attacker won the final sprint.”

Attackers use this vulnerability to distribute malicious payloads to vulnerable VSA servers. But this means that they also extend the VSA agent application that runs on the Windows devices of these MSP clients. The VSA “working folder” usually runs as a trusted walled garden in these machines, which means that malware scanners and other security tools are instructed to ignore whatever they are doing-providing valuable to hackers who damage them cover.

Once stored, the malware runs a series of commands to hide the malicious activities of Microsoft Defender, which is a built-in malware scanning tool in Windows. Finally, the malware instructs the Kesaya update process to run a legitimate but outdated and expired version of Microsoft’s “Anti-Malware Service”, which is a component of Windows Defender. Attackers can manipulate this outdated version to “sideload” malicious code and sneak it through Windows Defender, just like Luke Skywalker can sneak through the stormtroopers while wearing armor. From there, the malware begins to encrypt the files on the victim’s machine. It even takes measures to make it more difficult for victims to recover from data backups.

Leave a Reply

Your email address will not be published. Required fields are marked *