![]() ![]() According to Huntress’s investigation, one possibility is the exploitation of the web interface of Kaseya’s VSA Servers (software used by Kaseya customers to monitor and manage their infrastructure), which enabled authentication bypass and remote code execution. REvil’s Kaseya AttackĪt the time of publication of this report, the exact chain of events that enabled at least 1000 businesses to be infected by the REvil ransomware is not entirely clear. ![]() This means the target is still faced with the prospect of having to pay the ransom regardless of whether or not they employed data backups as a precautionary measure, and underscores the need to take a prevention-first security posture. Much like the DarkSide ransomware gang that struck Colonial Pipeline in early May, the REvil gang follows the double extortion trend, where the threat actors first exfiltrates sensitive information stored on a victim’s systems before launching the encryption routine.Īfter the ransomware encrypts the target’s data and issues the ransom demand for payment in exchange for the decryption key, the threat actors make the additional threat of publishing the exfiltrated data online should the target refuse to make the ransom payment. In April, the REvil gang attempted to extort Apple following an attack against one of the tech giant’s business partners with a $50 million ransom demand with the additional threats to increase the ransom demand to $100 million and release exfiltrated data from the target should the payment not be made promptly. Subsequent attacks attributed to the REvil gang include a March 2021 attack against Taiwanese multinational electronics corporation Acer where the assailants demanded a record breaking $50 million ransom. Over time, REvil has become the largest ransomware cartel operating in operation to date. The Cybereason Defense Platform Detects and Blocks REvil Ransomware Cybereason customers have been protected from this threat since it emerged in 2019, as are the customers of our Managed Services Provider partners in the wake of the Kaseya supply chain compromise: The Cybereason Defense Platform has consistently proven to detect and block REvil ransomware. Cybereason Detects and Blocks REvil Ransomware REvil is the same threat actor who hit meatpacking giant JBS with a ransomware attack at the beginning of June, shutting down a good portion of the company’s production capabilities and threatened to create supply chain disruptions and sharp cost of goods increases.īack in April of 2019, the Cybereason Nocturnus team first encountered and analyzed the REvil ransomware (aka Sodinokibi, Sodin), a notoriously aggressive and highly evasive threat that takes many measures to maintain obfuscation and prevent detection by security tools. Reports indicate that the REvil gang’s supply chain attack exploited the Kaseya VSA remote management service to propagate the ransomware to multiple targets by way of Managed Service Providers who use the software to service clients across the globe. Patch rollback is difficult and usually impossible (though this may not be Kaseya's fault).As a spate of ransomware attacks continue to dominate the headlines in recent months, the infamous REvil ransomware gang has upped the ante significantly with a wide ranging operation that is suspected to have impacted thousands of small-to-midsize businesses through the compromise of a leading IT services provider. KAM in particular was so broken it caused us to dump the entire thing and switch to Webroot (though the Webroot integration module is a bad joke: it looks like an alpha product, nowhere near beta). Kaseya Anti-Virus and Kaseya Anti-Malware (which we used to use) frought with problems, in accurately reporting what was out there & in reliably installing or uininstalling packages. There should be one package that asks the user its OU based on a database that IT sets up. EVERY ONE OF THEM must be updated every time there is a new Kaseya client release (about four times a year). If you have more than about a dozen OUs, you will see what I mean: you must create a new install package for each OU. The way installation packages are created is terrible. "View" is powerful to *use* but clumsy and unwieldy to *manage/administer* misleading word choices in scheduling boxes Cons: Persistent, unfixed, obvious GUI issues spanning years and years after being reported: ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |