{"id":291129,"date":"2021-07-05T13:54:29","date_gmt":"2021-07-05T10:54:29","guid":{"rendered":"https:\/\/en.buradabiliyorum.com\/all-you-need-to-know-about-revils-70m-kaseya-ransomware-attack\/"},"modified":"2021-07-05T13:54:29","modified_gmt":"2021-07-05T10:54:29","slug":"all-you-need-to-know-about-revils-70m-kaseya-ransomware-attack","status":"publish","type":"post","link":"https:\/\/buradabiliyorum.com\/en\/all-you-need-to-know-about-revils-70m-kaseya-ransomware-attack\/","title":{"rendered":"#All you need to know about REvil&#8217;s $70M Kaseya ransomware attack"},"content":{"rendered":"<div id=\"ez-toc-container\" class=\"ez-toc-v2_0_85 counter-hierarchy ez-toc-counter ez-toc-custom ez-toc-container-direction\">\n<p class=\"ez-toc-title\" style=\"cursor:inherit\">Table of Contents<\/p>\n<label for=\"ez-toc-cssicon-toggle-item-6a3b504094140\" class=\"ez-toc-cssicon-toggle-label\"><span class=\"\"><span class=\"eztoc-hide\" style=\"display:none;\">Toggle<\/span><span class=\"ez-toc-icon-toggle-span\"><svg style=\"fill: #dd3333;color:#dd3333\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" class=\"list-377408\" width=\"20px\" height=\"20px\" viewBox=\"0 0 24 24\" fill=\"none\"><path d=\"M6 6H4v2h2V6zm14 0H8v2h12V6zM4 11h2v2H4v-2zm16 0H8v2h12v-2zM4 16h2v2H4v-2zm16 0H8v2h12v-2z\" fill=\"currentColor\"><\/path><\/svg><svg style=\"fill: #dd3333;color:#dd3333\" class=\"arrow-unsorted-368013\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"10px\" height=\"10px\" viewBox=\"0 0 24 24\" version=\"1.2\" baseProfile=\"tiny\"><path d=\"M18.2 9.3l-6.2-6.3-6.2 6.3c-.2.2-.3.4-.3.7s.1.5.3.7c.2.2.4.3.7.3h11c.3 0 .5-.1.7-.3.2-.2.3-.5.3-.7s-.1-.5-.3-.7zM5.8 14.7l6.2 6.3 6.2-6.3c.2-.2.3-.5.3-.7s-.1-.5-.3-.7c-.2-.2-.4-.3-.7-.3h-11c-.3 0-.5.1-.7.3-.2.2-.3.5-.3.7s.1.5.3.7z\"\/><\/svg><\/span><\/span><\/label><input type=\"checkbox\"  id=\"ez-toc-cssicon-toggle-item-6a3b504094140\" checked aria-label=\"Toggle\" \/><nav><ul class='ez-toc-list ez-toc-list-level-1 ' ><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-1\" href=\"https:\/\/buradabiliyorum.com\/en\/all-you-need-to-know-about-revils-70m-kaseya-ransomware-attack\/#How_did_this_happen\" >How did this happen?<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-2\" href=\"https:\/\/buradabiliyorum.com\/en\/all-you-need-to-know-about-revils-70m-kaseya-ransomware-attack\/#How_bad_is_it\" >How bad is it?<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-3\" href=\"https:\/\/buradabiliyorum.com\/en\/all-you-need-to-know-about-revils-70m-kaseya-ransomware-attack\/#REvil_is_the_name_of_a_ransomware-as-a-service_RaaS_operation_Affiliated_cybercriminals_utilize_REvils_malware_target_companies_like_managed_service_providers_lock_their_clients_files_and_demand_a_ransom_The_developers_behind_REvil_are_believed_to_be_in_from_or_linked_to_Russia_REvil_has_previously_been_used_to_swipe_device_schematics_from_Apple_supplier_Quanta_Computer_and_the_actors_behind_the_attack_threatened_to_release_the_documents_unless_paid_a_ransom_of_50_million_Strangely_they_mysteriously_removed_references_to_that_incident_a_week_later_REvil_was_also_responsible_for_a_breach_of_Acers_systems_recently_And_last_month_when_US-based_meat_supplier_JBS_was_hit_by_REvil_the_company_paid_out_11_million_to_recover_access_to_its_systems_Can_we_fix_it\" >REvil is the name of a ransomware-as-a-service (RaaS) operation. Affiliated cybercriminals utilize REvil\u2019s malware target companies, like managed service providers, lock their clients\u2019 files, and demand a ransom. The developers behind REvil are believed to be in, from, or linked to Russia.\nREvil has previously been used to swipe\u00a0device schematics from Apple supplier Quanta Computer, and the actors behind the attack threatened to release the documents unless paid a ransom of $50 million. Strangely, they mysteriously removed references to that incident a week later. REvil was also responsible for a breach of Acer\u2019s systems recently. And last month, when US-based meat supplier JBS was hit by REvil, the company paid out $11 million to recover access to its systems.\nCan we fix it?<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-4\" href=\"https:\/\/buradabiliyorum.com\/en\/all-you-need-to-know-about-revils-70m-kaseya-ransomware-attack\/#Whats_next\" >What\u2019s next?<\/a><\/li><\/ul><\/nav><\/div>\n<p>&#8220;<strong>#All you need to know about REvil&#8217;s $70M Kaseya ransomware attack<\/strong>&#8221;<\/p>\n<div>Last Friday was quite a doozy in the cybersecurity world: a Russia-linked REvil ransomware gang is believed to be behind <a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/therecord.media\/revil-ransomware-executes-supply-chain-attack-via-malicious-kaseya-update\/\">a massive \u2018supply chain\u2019 attack<\/a> that crippled hundreds of businesses across the US and elsewhere. Now, the group <a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/therecord.media\/revil-gang-asks-70-million-to-decrypt-systems-locked-in-kaseya-attack\/\">wants $70 million in exchange for a tool to decrypt the files<\/a> they\u2019ve locked on victims\u2019 networks.<\/p>\n<p>The Record\u2019s Catalin Cimpanu reported that REvil has claimed responsibility for the attack and <a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/therecord.media\/revil-gang-asks-70-million-to-decrypt-systems-locked-in-kaseya-attack\/\">put out the call for the enormous ransom<\/a>. If paid, it would make this the largest ransomware incident in history.<\/p>\n<p>At the same time, US President Biden said on Sunday \u201cwe\u2019re not certain\u201d who was behind the attack, and <a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/www.reuters.com\/technology\/biden-says-uncertain-who-is-behind-latest-ransomware-attack-2021-07-03\/\">he\u2019s directed intelligence agencies to investigate<\/a>.<\/p>\n<h2><span class=\"ez-toc-section\" id=\"How_did_this_happen\"><\/span>How did this happen?<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>Last week\u2019s attack targeted VSA, a piece of software developed by an American IT management software company called Kesaya. VSA is a tool used to remotely manage an organization\u2019s servers and other hardware, as well as software and services.<\/p>\n<p>VSA is used by large corporations, as well as service providers who manage system administration for smaller companies that don\u2019t have their own IT departments.<\/p>\n<figure class=\"post-image post-mediaBleed aligncenter\"><img loading=\"lazy\" decoding=\"async\" alt=\"Kaseya VSA Network Toplogy View\" width=\"768\" height=\"378\" class=\"js-lazy\" src=\"https:\/\/b6x0l214gh21wkvwf1simsxr-wpengine.netdna-ssl.com\/wp-content\/uploads\/2020\/06\/vsa-topology-basic-screely-768x378.png\"\/><figcaption><a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/thenextweb.com\/news\/#\" data-url=\"https:\/\/twitter.com\/intent\/tweet?url=https%3A%2F%2Feditorial.thenextweb.com%2Fsecurity%2F2021%2F07%2F05%2Feverything-need-know-revil-70m-kaseya-ransomware-attack-explained%2F&amp;via=thenextweb&amp;related=thenextweb&amp;text=Check out this picture on: Kesaya\u2019s VSA software allows managed service providers to remotely oversee their clients\u2019 IT networks.\" data-title=\"Share Kesaya\u2019s VSA software allows managed service providers to remotely oversee their clients\u2019 IT networks. on Twitter\" data-width=\"685\" data-height=\"500\" class=\"post-image-share popitup\" title=\"Share Kesaya\u2019s VSA software allows managed service providers to remotely oversee their clients\u2019 IT networks. on Twitter\"><i class=\"icon icon--inline icon--twitter--dark\"\/><\/a>Kesaya\u2019s VSA software allows managed service providers to remotely oversee their clients\u2019 IT networks.<\/figcaption><noscript><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/b6x0l214gh21wkvwf1simsxr-wpengine.netdna-ssl.com\/wp-content\/uploads\/2020\/06\/vsa-topology-basic-screely-768x378.png\" alt=\"Kaseya VSA Network Toplogy View\" width=\"768\" height=\"378\" class=\"\" srcset=\"\"\/><\/noscript><\/figure>\n<p>Per The Record, malware analyst Mark Loman (from security software company Sophos) noted that a malicious VSA update hit multiple systems where this tool was being used. Then, it was deployed to all connected client computers and servers.<\/p>\n<p>Subsequently, this is said to allow the REvil gang to disable local antivirus, and run a fake Windows Defender <a href=\"https:\/\/buradabiliyorum.com\/en\/category\/download-scripts-themes-apps\/\" data-internallinksmanager029f6b8e52c=\"9\" title=\"Download Scripts &amp; Themes &amp; Apps\" target=\"_blank\" rel=\"noopener\">app<\/a> which is actually the ransomware in disguise. The ransomware then does what it\u2019s known for, and encrypts the files on the infected computer so they can\u2019t be accessed without a key.<\/p>\n<p>This is an example of what\u2019s called a supply chain attack, where malicious code is injected into a trusted piece of software that affects other parts of the target\u2019s network \u2014 or even a large number of targets that all use said software.<\/p>\n<h2><span class=\"ez-toc-section\" id=\"How_bad_is_it\"><\/span>How bad is it?<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>Sophos noted on July 2 that \u201c<a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/news.sophos.com\/en-us\/2021\/07\/02\/kaseya-vsa-supply-chain-ransomware-attack\/\">more than 70 managed service providers were impacted<\/a>, resulting in more than 350 further impacted organizations.\u201d The REvil gang noted on its dark web blog that <a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/therecord.media\/revil-gang-asks-70-million-to-decrypt-systems-locked-in-kaseya-attack\/\">more than a million systems were infected<\/a>.<\/p>\n<p>Among them is <a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/www.coop.se\/\">Coop<\/a>, a Swedish supermarket chain. The company has temporarily closed some 800 of its stores across the country as a result of the attack which has impacted its cash registers.<\/p>\n<figure class=\"post-image post-mediaBleed aligncenter\"><img loading=\"lazy\" decoding=\"async\" alt=\"Swedish supermarket chain Coop has had to temporarily close 800 of its stores as a result of the attack. Image via Coop\" width=\"1360\" height=\"630\" class=\"js-lazy\" src=\"https:\/\/www.coop.se\/contentassets\/8a1ad99eeb204400a24e37d102def1a2\/coop-butik-1360x630.jpg\"\/><figcaption><a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/thenextweb.com\/news\/#\" data-url=\"https:\/\/twitter.com\/intent\/tweet?url=https%3A%2F%2Feditorial.thenextweb.com%2Fsecurity%2F2021%2F07%2F05%2Feverything-need-know-revil-70m-kaseya-ransomware-attack-explained%2F&amp;via=thenextweb&amp;related=thenextweb&amp;text=Check out this picture on: Swedish supermarket chain Coop has had to temporarily close 800 of its stores as a result of the attack. Image via Coop\" data-title=\"Share Swedish supermarket chain Coop has had to temporarily close 800 of its stores as a result of the attack. Image via Coop on Twitter\" data-width=\"685\" data-height=\"500\" class=\"post-image-share popitup\" title=\"Share Swedish supermarket chain Coop has had to temporarily close 800 of its stores as a result of the attack. Image via Coop on Twitter\"><i class=\"icon icon--inline icon--twitter--dark\"\/><\/a>Swedish supermarket chain Coop has had to temporarily close 800 of its stores as a result of the attack. Image via Coop<\/figcaption><noscript><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/www.coop.se\/contentassets\/8a1ad99eeb204400a24e37d102def1a2\/coop-butik-1360x630.jpg\" alt=\"Swedish supermarket chain Coop has had to temporarily close 800 of its stores as a result of the attack. Image via Coop\" width=\"1360\" height=\"630\" class=\"\" srcset=\"\"\/><\/noscript><\/figure>\n<p>This incident is believed to be one of the largest supply chain attacks of all time.<\/p>\n<h2\/><span class=\"ez-toc-section\" id=\"REvil_is_the_name_of_a_ransomware-as-a-service_RaaS_operation_Affiliated_cybercriminals_utilize_REvils_malware_target_companies_like_managed_service_providers_lock_their_clients_files_and_demand_a_ransom_The_developers_behind_REvil_are_believed_to_be_in_from_or_linked_to_Russia_REvil_has_previously_been_used_to_swipe_device_schematics_from_Apple_supplier_Quanta_Computer_and_the_actors_behind_the_attack_threatened_to_release_the_documents_unless_paid_a_ransom_of_50_million_Strangely_they_mysteriously_removed_references_to_that_incident_a_week_later_REvil_was_also_responsible_for_a_breach_of_Acers_systems_recently_And_last_month_when_US-based_meat_supplier_JBS_was_hit_by_REvil_the_company_paid_out_11_million_to_recover_access_to_its_systems_Can_we_fix_it\"><\/span>\n<p>REvil is the name of a ransomware-as-a-service (RaaS) operation. Affiliated cybercriminals utilize REvil\u2019s malware target companies, like managed service providers, lock their clients\u2019 files, and demand a ransom. The developers behind REvil are believed to be in, from, or linked to Russia.<\/p>\n<p>REvil has previously been used to swipe\u00a0device schematics from Apple supplier Quanta Computer, and the actors behind the attack threatened to release the documents unless <a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/www.theverge.com\/2021\/4\/21\/22396283\/apple-schematics-leak-ransomware-quanta-supplier-leak\">paid a ransom of $50 million<\/a>. Strangely, they mysteriously removed references to that incident a week later. REvil was also responsible for <a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/computer-giant-acer-hit-by-50-million-ransomware-attack\/\">a breach of Acer\u2019s systems<\/a> recently. And last month, when US-based meat supplier JBS was hit by REvil, the company <a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/www.wsj.com\/articles\/jbs-paid-11-million-to-resolve-ransomware-attack-11623280781\">paid out $11 million<\/a> to recover access to its systems.<\/p>\n<h2>Can we fix it?<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>Kaseya\u2019s first step to mitigate damage was to instruct its clients to take its VSA servers offline.<\/p>\n<p>CEO Fred Voccola told CRN that the company is <a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/helpdesk.kaseya.com\/hc\/en-gb\/articles\/4403440684689\">working to resolve the situation<\/a>. It is <a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/www.crn.com\/slide-shows\/security\/5-takeaways-on-kaseya-cyberattack-from-ceo-fred-voccola\">currently pen-testing a patch for VSA<\/a>, so it should be able to help its clients get back online soon. However, it\u2019s not clear if that will also take care of the problem of locked files.<\/p>\n<p>Voccola also said, \u201cThe technical teams are working with them [impacted MSPs] around the clock. We\u2019re helping them from a legal perspective. We\u2019re helping them deal with with the authorities, whether it\u2019s federal or state. We\u2019re helping them navigate with their insurance providers.\u201d<\/p>\n<h2><span class=\"ez-toc-section\" id=\"Whats_next\"><\/span>What\u2019s next?<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>It remains to be seen how Kesaya and its clients will navigate this. There\u2019s the matter of the $70 million decryption tool that could solve the problem at hand. However, the US <a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/www.ic3.gov\/media\/2019\/191002.aspx\">FBI has previously discouraged victims from paying up<\/a>. Sage advice, considering that according to a Sophos report from this year, <a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/secure2.sophos.com\/en-us\/content\/state-of-ransomware.aspx\">92% of organizations that do pay are unable to recover all their data<\/a>; most victims who cough up the cash are only able to partially recover the contents of their encrypted files.<\/p>\n<\/div>\n<p><script async src=\"\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<blockquote><p><strong><span style=\"color: #ff6600;\">If you liked the article, do not forget to share it with your friends. Follow us on\u00a0<span style=\"color: #ff0000;\"><a style=\"color: #ff0000;\" href=\"https:\/\/news.google.com\/publications\/CAAqBwgKMLG0nwswvr63Aw\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">Google News<\/a><\/span>\u00a0too, click on the star and choose us from your favorites.<\/span><\/strong><\/p><\/blockquote>\n<blockquote>\n<p style=\"text-align: center;\">For forums sites go to <span style=\"color: #ff9900;\"><a style=\"color: #ff9900;\" href=\"https:\/\/forum.buradabiliyorum.com\/\" target=\"_blank\" rel=\"noopener\">Forum.BuradaBiliyorum.Com<\/a><\/span><\/strong>\n<\/p><\/blockquote>\n<blockquote>\n<p style=\"text-align: center;\"><strong>If you want to read more like this article, you can visit our <span style=\"color: #ff9900;\"><a style=\"color: #ff9900;\" href=\"https:\/\/en.buradabiliyorum.com\/technology\/\" target=\"_blank\" rel=\"noopener\">Technology category.<\/a><\/span><\/strong><\/p>\n<\/blockquote>\n<p><span style=\"color: black;\"><a style=\"color: #ff9900;\" href=\"https:\/\/thenextweb.com\/news\/everything-need-know-revil-70m-kaseya-ransomware-attack-explained\" target=\"_blank\" rel=\"noopener\">Source<\/a><\/span><\/p>\n","protected":false},"excerpt":{"rendered":"<p>&#8220;#All you need to know about REvil&#8217;s $70M Kaseya ransomware attack&#8221; Last Friday was quite a doozy in the cybersecurity world: a Russia-linked REvil ransomware gang is believed to be behind a massive \u2018supply chain\u2019 attack that crippled hundreds of businesses across the US and elsewhere. Now, the group wants $70 million in exchange for&#8230;<\/p>\n","protected":false},"author":1,"featured_media":291130,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/img-cdn.tnwcdn.com\/image\/tnw?filter_last=1&fit=1280,640&url=https:\/\/cdn0.tnwcdn.com\/wp-content\/blogs.dir\/1\/files\/2021\/05\/Cyber-security-hed-shutterstock_1253457802-copy.jpg&signature=bcc61fbf660f4fd54faaf2a25ce29585","fifu_image_alt":"","footnotes":""},"categories":[18],"tags":[],"class_list":["post-291129","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-technology"],"_links":{"self":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/posts\/291129","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/comments?post=291129"}],"version-history":[{"count":0,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/posts\/291129\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/media\/291130"}],"wp:attachment":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/media?parent=291129"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/categories?post=291129"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/tags?post=291129"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}