REvil Ransomware Hits 200 Companies In MSP Supply-Chain Attack

A massive REvil ransomware attack affects multiple managed service providers and their clients through a reported Kaseya supply-chain attack. Bleeping Computer reports: Starting this afternoon, the REvil ransomware gang targeted approximately eight large MSPs, with thousands of customers, through what appears to be a Kaseya VSA supply-chain attack. Kaseya VSA is a cloud-based MSP platform that allows providers to perform patch management and client monitoring for their customers. Huntress Labs' John Hammond has told BleepingComputer that all of the affected MSPs are using Kaseya VSA and that they have proof that their customers are being encrypted as well. "We have 3 Huntress partners that are impacted with roughly 200 businesses encrypted," Hammond told BleepingComputer. Kasey issued an security advisory on their help desk site warniong all VSA customers to immediately shut down their VSA server to prevent the attack's spread while they investigate. In a statement to BleepingComputer, Kaseya stated that they have shut down their SaaS servers and are working with other securty firms to investigate the incident.

A sample of the REvil ransomware used in one of these attacks has been shared with BleepingComputer. However, it is unknown if this is the sample used for every victim or if each MSP received its own ransom demand. The ransomware gang is demanding a $5,000,000 ransom to receive a decryptor from one of the samples. While REvil is known to steal data before deploying the ransomware and encrypting devices, it is unknown if the attackers exfiltrated any files.

You usually don't get what you think

[oldgraybeard]

when you outsource security and patch management. But then it looks great in the sales brochure and allows the c-suite to pat themselves on the back. Until the chickens come home to roost.

Re:

[aaarrrgggh]

You are generally not trying to outsource “trivial” things like patch management, but some level of expertise that you don’t have in-house and that requires 4-12 hours a week of work and more than a single person to accommodate vacations and such. I am fine with Linux machines, but we need Windows servers for many critical services— and having someone else manage your backup system, check logs, etc. is nice.

I hate using them, but finding hourly IT consultants to manage this stuff ha

Re:You usually...Cost Benefit Analysis?

[shoor]

I wonder if anyone has tried to tote up the cost of all of these attacks on cloud based systems and compare them to the cost of not using the cloud?

I'm a techie myself, but I've helped enough non-techies to have some appreciation of how difficult it is for them to manage things on their own.

Part of the problem though, is centralization. If there were a bunch of little systems out there, each slightly different, they might be easier to crack individually, but you'd have to crack each of them individually.

I

Re:

[bill_mcgonigle]

The middle managers bought "somebody else to blame" when things go wrong, and now they did, and they have what they bought.

don't be REvil

[Anonymouse Cowtard]

Have they considered just asking for donations? And saying please? Just might work.

Catch more criminals with honey.

[Ostracus]

Seems no one's using honey-pots [ieee.org] to catch and shut down things.

Re:Catch more criminals with honey.

[oldgraybeard]

The Microsoft Windows Eco-system is the biggest real world ,full of holes honeypot on the planet.

Just Windows

[psergiu]

So, basically, if a company is stupid enough to use exclusively Windows PCs, they will get 100% f-ed.
Anyone heard of any ransomware cases for companies with Linux or Mac OS workstations ?

Re:

[Anonymous Coward]

Yep, and the striking thing is that Windows users keep coming back for more abuse. Same psychology as Tesla owners, proof that the Stockholm syndrome is real.

Re:

[psergiu]

Mod parent up as +1 Funny pls :)

Re:

[aaarrrgggh]

Who cares about the workstations if you can do it directly from the servers? Very few companies manage SSO from a Linux machine as there are simply too many things that just don’t work. Likewise, robust backup software for SMEs is almost exclusively Windows. How about enterprise accounting systems nothing for Linux servers.

Re:

[Areyoukiddingme]

How about enterprise accounting systems nothing for Linux servers.

That's a surprisingly large gap in the market that shouldn't exist. It could easily be filled by 3 interns over a long weekend. That was obviously how SAP was written, so the quality will be the same.

I kid. An open source enterprise accounting system for Linux will rapidly eclipse SAP in quality.

Re:

[Anonymous Coward]

Depending on where you get your numbers, the current OS market share is roughly Windows 75%, MacOS 15%, and Linux 2.3%. With 7% listed as Unknown, there is some wiggle room for all those numbers.

Let's pretend you are a malware writer. Which OS would you target for the best return of your misplaced talent? Sure, plenty of universities and artists are using MacOS, but they probably aren't going to pony up a few million dollars to get their data back.

Anyone heard of any companies with Linux or Mac OS workstations ?

FTFY.

Re: Just Windows

[beelsebob]

I mean, if you want to hit any significant tech company (a than Microsoft), youâ(TM)d better be targeting macOS, not windows. I suspect their choice to attack windows is because theyâ(TM)re softer targets for a variety of reasons:

1. Itâ(TM)s more likely that windows businesses are using this kind of management scheme that amounts to preinstalled malware. Itâ(TM)s easy to attack a system thatâ(TM)s already deliberately compromised.

2. The big tech companies running macOS actually kn

Re:

[labnet]

Lets See.
Our ERP System - Windows Only
ECAD System - Windoes Only
MCAD System - Windows Only
XRAY System Software - Windows Only
Robot Prep Software - Windows Only
3CX - Windows Only
Yes, we have many linux servers for things like RedMine, BuildBot, Git
BUT, most engineering businesses have to use windows.

Re: Just Windows

[beelsebob]

âoeThe software we use today runs on windows, therefore there is no software for macOS.â

Re:

[stabiesoft]

IC or PCB ECAD? IC is almost exclusively linux. Sun was the platform for IC design back in the day, well unless you go way back to CALMA systems on DG boxes.

Re:

[labnet]

Altium DXP - PCB ECAD

Re:

[F.Ultra]

I'm sure there exists a similar list of Commodore PET software before customers started to demand MS-DOS versions.

Re:

[ArchieBunker]

If Linux had a 90% desktop market share, yes absolutely.

Should just make a law

[wakeboarder]

Mandatory backups and you have to be able to restore those backups in less than an hour: then where would ransomware attacks be?

Re: Should just make a law

[Plugh]

> Then where would ransomware be? In your backup program

Re:

[kot-begemot-uk]

Encrypting the backups.

A backup like this has to be networked and automated. So attacking it becomes a priority goal.

In any case, the problem with Ransomware in the age of remote working is not cleaning the network and getting your data from backups. The problem is bringing the workforce back online after that. You never know. One of the PCs that just came over the VPN may carry the viral payload. Then it is back to the starting point.

Re:

[Entrope]

Restoring within an hour would be optimizing for the wrong case, and probably open an additional attack surface through the automated-restore function.

Being able to start restoring within two hours, and complete restore within another two, seems reasonable. For a current typical desktop, that is pretty easy -- maybe 1 GB/minute. A server might need a higher-speed network to restore data on time. Maybe extend it to eight hours if enough computers are affected; businesses should have a continuity plan that

Re:

[LostMyAccount]

In the MSP space, backups are the red-headed stepchild. Most companies employing an MSP don't really want to spend money for backups with high retention, high performance and better security options. In my experience, they barely are willing to pay for something that meets the definition of a "backup".

MSPs who try to "solve" this while respecting low-budget customer cost expectations end up magnifying some vulnerabilities with too many shared credentials and often a backup environment too heavily exposed

Kaseya will be sued out of existence.

[iamnotx0r]

Sad world we have, where convenience on using windows means more of this to continue. As far as I can remember, since at least the 1990's windows has been the constant giver of problems.

And the next step is...

[johnnys]

The "MSP" to quietly shut down, lay off all the employees, and the owners decamp to a non-extradition location to live a life of luxury with all the money left over. Meanwhile the suckers, I mean customers, are left to deal with the mess.

This is what happens when you outsource your responsibilities.

Re:

[mjwx]

The "MSP" to quietly shut down, lay off all the employees, and the owners decamp to a non-extradition location to live a life of luxury with all the money left over. Meanwhile the suckers, I mean customers, are left to deal with the mess.

This is what happens when you outsource your responsibilities.

Actually they don't need to go to a non-extradition location. Just declare bankruptcy to get legal protection whilst you start up a new company. Pheonixing, protecting your bad business decisions. I work for a GSI, we've been receiving calls all day about this, but it's OK because we patch and isolate our shit to prevent these kinds of attacks (shit for the guys on the phone though because they have to repeat the same thing over and over again).

MSP ?

[rossdee]

I haven't flown for a couple of years, but I usually fly from or to Minneapolis St. Paul airport (MSP)

Re:

[bardrt]

Managed Service Provider.
Basically, instead of having in-house IT people at your company, you pay another company to do the IT work for you.

More specifically...

[Gravis Zero]

from the wiki: https://en.wikipedia.org/wiki/... [wikipedia.org]

A managed IT services provider (MSP) is most often information technology (IT) services provider that manages and assumes responsibility for providing a defined set of services to its clients either proactively or as the MSP (not the client) determines that services are needed.[26][27] Most MSPs bill an upfront setup or transition fee and an ongoing flat or near-fixed monthly fee, which benefits clients by providing them with predictable IT support costs. Sometimes, MSPs act as facilitators who manage and procure staffing services on behalf of the client. In such context, they use an online application called vendor management system (VMS) for transparency and efficiency. A managed service provider is also useful in creating disaster recovery plans, similar to a corporation's. Managed Service Providers[28] tend to prove most useful to small businesses with a limited IT budget.[29]

The managed services model has been useful in the private sector, notably among Fortune 500 companies,[30] and has an interesting future in government.[31]

Entire store chain down

[dromgodis]

In Sweden an entire supermarket chain (Coop, ~800 stores) is closed since last evening because the supplier of their cash register services got hit.

Re: Entire store chain down

[Flu]

That amounts to 20% of the national market for food. Guess ICA will get new customers...

Re:

[Malifescent]

I know for a fact that the Dutch Ahold group (which also owns several U.S. grocery chains e.g. Giant) uses Linux for its in-house developed cash registers and I have a hunch they will not be targets for ransomware.

Re:

[clampolo]

I know nothing about what security measure Dutch Ahold has taken. But if someone is dumb with security on Linux, there is no magic reason it can't be hacked. Example: maybe they allow a remote login for diagnostics, remote firmware update, etc. Employee finds the username/password hard to remember and stores it on another machine that gets hacked. Most hacking isn't some fancy shit like in the Matrix. Most of it is getting information from dumb people (social engineering.) Linux isn't defended from th

Microkernel

[Malifescent]

When is the U.S. government finally going to urge its departments to use only microkernel-based operating systems which are known to be much more secure, even if the software running on it isn't. The best any threat actor would be able to do is a denial of service attack.

If this continues the way it is now, the government might become rash and starts striking out at other nations, both in cyberspace and the real world.

Seriously, I wouldn't want our government to start a nuclear war just because we can

Pick any 2

[stabiesoft]

Cost, convenience, security. Guess which two biz picks?