Supply Chain at the Heart of the Latest Ransomware Attack

Stephen DeAngelis

July 7, 2021

As Americans were preparing for a long holiday weekend, Russia-based REvil ransomware criminals (aka Sodinokibi), conducted an attack targeting the information technology company Kaseya. In an attempt to downplay the attack, Kaseya issued a press release stating, “Kaseya’s VSA product has unfortunately been the victim of a sophisticated cyberattack.   Due to our teams’ fast response, we believe that this has been localized to a very small number of on-premises customers only.”[1] A few days earlier, however, journalists Gerrit De Vynck (@GerritD) and Rachel Lerman (@rachelerman) reported, “A sprawling ransomware attack that hit hours before the beginning of the July Fourth holiday weekend has already affected hundreds of businesses and is likely to hit many more.”[2] Brian Barrett (@brbarrett), Executive Editor of News at WIRED, added, “It was probably inevitable that the two dominant cybersecurity threats of the day — supply chain attacks and ransomware — would combine to wreak havoc. That’s precisely what happened [on 2 July], as the notorious REvil criminal group successfully encrypted the files of hundreds of businesses in one swoop, apparently thanks to compromised IT management software. And that’s only the very beginning.”[3]

 

The Full Extent of the Attack Remains Unclear

 

As of Monday, journalist Frank Bajak (@fbajak) reports, “The single biggest ransomware attack yet continued to bite as more details emerged on how a Russia-linked gang breached the exploited software company. The criminals essentially used a tool that helps protect against malware to spread it globally. Thousands of organizations — largely firms that remotely manage the IT infrastructure of others — were infected in at least 17 countries in [the 2 July] assault. Kaseya, whose product was exploited, said [5 July] that they include several just returning to work.”[4] Bajak notes that last month the Sodinokibi group successfully extorted $11 million from the meat processor JBS. This time, Bajak reports, “REvil was seeking $5 million payouts from the so-called managed service providers that were its principal downstream targets in this attack, apparently demanding much less — just $45,000 — from their afflicted customers.” The payout demanded from Kaseya, however, is much higher. According to tech journalist Robert McMillan, Kaseya executives told the White House, “Attackers are demanding a single $70 million ransomware payment.”[5] If Kaseya pays the $70 million, the attackers promise to unlock every affected system. If Kaseya refuses to pay, individual organizations that have been affected can, as noted above, pay to unlock their systems.

 

Lawrence Abrams (@LawrenceAbrams), creator and owner of BleepingComputer, explains how the attack takes place.[6] He writes:

 

BleepingComputer has been told by both Huntress’ John Hammond and Sophos’ Mark Loman that the attacks on MSPs appear to be a supply chain attack through Kaseya VSA. According to Hammond, Kaseya VSA will drop an agent.crt file to the c:\kworking folder, which is being distributed as an update called ‘Kaseya VSA Agent Hot-fix.’ A PowerShell command is then launched that first disables various Microsoft Defender security features, such as real-time monitoring, Controlled Folder Access, script scanning, and network protection. It will then decode the agent.crt file using the legitimate Windows certutil.exe command to extract an agent.exe file to the same folder, which is then launched to begin the encryption process.”

 

Although the attack appeared to take advantage of an American holiday weekend, companies around the world were affected. Journalist Dev Kundaliya reports, “Coop, one of Sweden’s largest grocery chains, was forced to temporarily closed almost all of its nearly 800 stores after the attack. A pharmacy chain, petrol station chain, the state railway and public broadcaster SVT were also affected in Sweden, as well as IT firms in Germany and the Netherlands.”[7] Kundaliya adds, “Kaseya claims it has more than 10,000 customers around the world.”

 

A Hint of Things to Come

 

Fahmida Y. Rashid (@FYRashid), Executive Editor of VentureBeat, observes, “Ransomware has been around for years but has surged recently, with nearly 2,400 governments, health care systems, and schools in the country hit by ransomware in 2020, according to a Ransomware Task Force report. Data is the lifeblood of a modern company — when ransomware encrypts the files and makes it inaccessible, it brings that company to a standstill.”[8] The size of the ransom demand from Kaseya makes the latest a big deal. Matt Tait (@pwnallthethings), Chief Operating Officer of Corellium , insists, “If you’re not already paying attention to the Kaseya ransomware incident, you should be. It’s likely the most important cybersecurity event of the year. Bigger than the Exchange hacks by China in January. Bigger than the Colonial pipeline ransomware incident. And, yes, more important than the SolarWinds intrusions last year.”[9] The reason Tait is so concerned about the Kaseya attack is because it involves automated software updates. He explains, “Under normal circumstances, automatic software deployment, especially in the context of software updates, are a good thing. But here this feature was turned on its head.” He suggests three other reasons organizations should be concerned about the Kaseya attack:

 

Indiscriminate Nature of the Attack. Tait notes, “Supply chain compromises, such as these, are very often indiscriminate; everyone that installs a malicious update gets the malware. Even in cases where supply-chain malware merely lays the groundwork for further sub-targeting after the initial breach — as the SolarWinds malware did — the effect is disruptive to all recipients, whether sub-targeted or not. Except in very rare cases, perpetrators behind supply chain attacks cannot control, predict or constrain the real-world consequences of subverting software supply-chains — and this is especially true when they are used to install ransomware.”

 

Attacks Could Become More Ubiquitous. According to Tait, “Perhaps [the] scariest, observation is that the software vendors used in malicious update compromises thus far have, in the grand scheme of things, been relatively small. MEDoc, SolarWinds and Kaseya are, of course, important to their respective customers, but none were household names before their respective incidents. Far bigger software vendors exist. Some are central to the basic functioning of modern computing. A disruption to the supply chain of platform vendors like Microsoft, Apple, or Google would have fallout at a scale that is literally unimaginable; with global disruption so vast that it cannot really be articulated without sounding insane or alarmist.”

 

Security Updates Become Dangerous. “The final observation,” Tait writes, “is that defensive remediation of ransomware deployed through automatic updates is pathological to the cybersecurity industry itself in a way that is qualitatively different from other categories of cybersecurity incidents. … A malware operator with access to automatic software delivery infrastructure has no incentive to keep the infections small. Rather than infecting only a few targets at the top of their priority list, the hacker typically hacks all affected customers nearly simultaneously.”

 

Rashid notes, “This isn’t the first time adversaries are targeting the supply chain to amplify the impact of their attacks, and it won’t be the last. Enterprises are increasingly relying on a network of providers for a wide range of business operations that include data processing and storage, networking infrastructure, and application delivery — that trend isn’t going away. A security incident at the supplier is inevitably going to be an incident for the enterprise, as well.” It should be clear from the above discussion that no organization is immune to ransomware attacks.

 

Footnotes
[1] Staff, “Updates Regarding VSA Security Incident,” Kaseya, 5 July 2021.
[2] Gerrit De Vynck and Rachel Lerman, “Widespread ransomware attack is affecting hundreds of businesses,” The Washington Post, 2 July 2021.
[3] Brian Barrett, “A New Kind of Ransomware Tsunami Hits Hundreds of Companies,” WIRED, 2 July 2021.
[4] Frank Bajak, “Fallout continues from biggest global ransomware attack,” Associated Press, 5 July 2021.
[5] Robert McMillan, “Ransomware Hackers Demand $70 Million to Unlock Computers in Widespread Attack,” The Wall Street Journal, 5 July 2021.
[6] Lawrence Abrams, “REvil ransomware hits 1,000+ companies in MSP supply-chain attack,” BleepingComputer.com, 2 July 2021.
[7] Dev Kundaliya, “Kaseya is latest victim of supply-side ransomware attack: hundreds of companies affected,” Computing, 5 July 2021.
[8] Fahmida Y. Rashid, “Supply chain attack on Kaseya infects hundreds with ransomware: What we know,” VentureBeat, 3 July 2021.
[9] Matt Tait, “The Kaseya Ransomware Attack is a Really Big Deal,” Lawfare Blog, 5 July 2021.