Ransomware Attack Led by the REvil (Sodikinibi) Cyber Gang Affects 1,500 Businesses Worldwide

A major ransomware attack carried out by the notorious REvil/Sodinikibi cyber gang at the helm, may have allegedly hit up to 200 businesses in America and close to 1500 worldwide. The Russian-tied crooks compromised a specific network management software package to spread the threat, which allowed them to reach a myriad of cloud-service providers.

The flawed software in question is called Virtual System Administrator, or VSA – a Remote Monitoring & Management system developed and marketed by Kaseya, a private company, striving to provide efficient and cost-effective software solutions to small and medium-sized businesses across the globe. The malware started executing ransomware on endpoints managed by Kaseya’s VAS on-premises package. As a result, the actual scale of the tactic may prove way more significant than security researchers had hoped.

Exploiting Popular Software for a Bigger Impact

Ransomware attacks of that caliber usually try to find security flaws in well-known, widely-used software programs, then exploit those flaws to plant the malware further down the supply chain. However, this is the first large-scale supply-chain ransomware attack that we've observed. Given the large number of businesses using Kaseya’s VSA package, it is not entirely clear what percentage of their customers have fallen victim to the attack so far. Kaseya's management has just issued an official notice urging clients to shut down all their on-premises VSA servers to curb the spread of the malware. While the company has found less than sixty affected clients, the latter have business relations with many other companies down the line, which brings the total number of affected companies to an estimate of 1500 or thereabouts.  

On the Eve of July 4 – Coincidence or a Calculated Move?

Security researchers believe the timing of the attack – Friday, July 2 – was intentional given that most business departments, including ITs, typically have reduced staffing before and during national holidays. Huntress Labs’ John Hammond, who discovered the attack, has reported at least four infected managed-services providers, each of them providing IT infrastructure hosting services to many other businesses. The supply-chain character of the attack has a huge damage potential because its ultimate victims are the small and mid-size companies that are entirely dependent upon the security of their suppliers. Once the latter has suffered a breach, it spreads like wildfire among their business customers further down the chain.

Patch and Preventive Measures (as of July 6, 12:00 PM EDT)

Kaseya’s officials have advised affected customers to shut down their on-premises VSA Servers until further notice and avoid clicking on any ransomware-related URLs, promising to develop a security patch before bringing the servers back online. The company followed suit by putting its VSA SaaS Infrastructure offline, as well. While Kaseya's security specialists hope to restore SaaS services by 7:00 PM EDT today, they also plan to implement a string of enhanced security measures to minimize the risk of future infections. Those measures range from setting up:

• An independent Security Operations Center (SOC) to monitor every VSA server
• An additional Content Delivery Network (CDN) with a corresponding Web Application Firewall (WAF) for every VSA server
• A Compromise Detection Tool for customers willing to test their on-premises VSA servers for any potential breaches
• A patch for on-premises VSA customers (already developed, currently undergoing testing and validation).

Should everything go as planned, Kaseya’s VSA customers will be able to get their servers up and running within the next few hours.