On July 3rd, a malicious hotfix was released and pushed by Kaseya VSA servers that propagated to servers managed by Kaseya, resulting in the compromise and encryption of thousands of nodes at hundreds of different businesses.
This attack appears to be the work of REvil (also known as Sodin/Sodinokibi). The recent attacks targeted a software supplier called Kaseya, using its network-management package as a conduit to spread the ransomware through cloud-service providers.
Kaseya VSA is a popular piece of software for remote network management, used by many managed security providers, or MSPs, companies that provide IT services to other companies. Network management software is a perfect place to hide a back door because these systems usually have broad access and perform a lot of tasks, making them difficult to monitor.
The attackers exploited vulnerable, internet-facing VSA servers commonly running upstream of many victims, in networks of MSPs, using them as backdoors, making it difficult or impossible for the victims to detect or prevent infection as the ransomware flowed ‘‘downstream.’’
REvil is most famously associated with recent attacks on Travelex, Acer, and Apple supplier Quanta Computer. Acting as a RaaS, REvil relies on affiliates or partners to perform its attacks. The REvil developers receive a percentage of all proceeds from ransom payments. Because the ransomware is distributed by different entities, the initial infection vector can vary; typically, this is either via phishing campaigns, brute force attacks to compromise RDP, or through software vulnerabilities. REvil is also known to be distributed by other malware suas as IceID.
The good news? BlackBerry Protect, BlackBerry Optics and BlackBerry Guard stop these attacks.
Prevention first: Putting prevention first neutralizes malware before the exploitation stage of the kill-chain. By stopping malware at this stage, BlackBerry products help organizations increase their resilience to cyber attacks. This also reduces infrastructure complexity and streamlines security management to ensure that business, people, and endpoints are secure.
BlackBerry cybersecurity solutions use the 7th generation Cylance® AI engine, trained on a threat dataset numbering in the billions, to identify and prevent attacks. The AI resides on the endpoint and in the cloud, offering holistic and multi-layered protection without requiring continuous Internet connectivity.
Given the success of the REvil attacks, it is vital for organisations to learn how to safeguard themselves and their employees from ransomware threats in 2021.
The Threat Research Team of our partner BlackBerry, has analyzed the attack methods used by this threat, and in addition to recommending basic cyber hygiene steps, strongly urges BlackBerry customers to ensure their systems have BlackBerry® Protect enabled with a blocking policy and BlackBerry® Optics enabled to detect threats.
BlackBerry has additionally authored rules to identify several telemetry points of the REvil ransomware. These rules are available for BlackBerry customers to download here: https://support.blackberry.com/community/s/article/80059.
Ward Solutions & BlackBerry Incident Response team can work together with organisations of any size and across any vertical, to evaluate and enhance their endpoint security posture and proactively maintain the security, integrity, and resilience of their network infrastructure.
Talk to a Specialist today:
- Contact our sales team at info@ward.ie or call 01 6420100
- To get more information, visit our website ward.ie
- To view our partner’s technology, go to www.blackberry.com