The successful ransomware attack on Kaseya's Virtual Systems Administrator (VSA) software affects a large number of companies that use the software. A comment from Mark Loman, Director of Engineering at Sophos, on the current REvil ransomware attack on Kaseya.
“Since the latest attack with the ransomware REvil became known, Sophos has carried out numerous investigations and classified the attack under the heading 'Supply Chain Distribution'. The criminals use Managed Service Providers (MSP) as a 'sales platform' to hit as many companies as possible, regardless of size or industry.
Ransomware uses MSPs as a distribution platform
We see a recurring pattern here as attackers are constantly adapting their methods with the maxim to achieve the greatest possible impact, be it financially or stealing credentials and other proprietary information that they could later use. In other large-scale attacks we've seen in the past, such as WannaCry, the ransomware itself was the distributor. In the current case, it became clear shortly after the attack that a REvil Ransomware-as-a-Service (RaaS) partner was using a zero-day exploit to distribute the ransomware via Kaseya's Virtual Systems Administrator (VSA) software . Typically, this software provides a highly trusted communication channel that gives MSPs unlimited privileged access to help many businesses with their IT environments. Exactly this platform has now been converted into a distributor for the ransomware. "
Ransom in the millions
“Some successful ransomware groups have looted millions of dollars in ransom money, which can potentially earn them very valuable zero-day exploits. So far, certain exploits have usually only been feasible at the nation-state level, which usually use these tools specifically for a specific, isolated attack. In the hands of cyber criminals, such a 'premium exploit' for a vulnerability in a global platform can hit many companies at the same time and have an impact on our daily lives. "
Based on Sophos Threat Intelligence, REvil has been particularly active in recent weeks, including the JBS attack, and is currently the dominant ransomware gang involved in Sophos' defensive managed threat response cases.
More at Sophos.com
About Sophos More than 100 million users in 150 countries trust Sophos. We offer the best protection against complex IT threats and data loss. Our comprehensive security solutions are easy to deploy, use and manage. They offer the lowest total cost of ownership in the industry. Sophos offers award-winning encryption solutions, security solutions for endpoints, networks, mobile devices, email and the web. In addition, there is support from SophosLabs, our worldwide network of our own analysis centers. The Sophos headquarters are in Boston, USA and Oxford, UK.