Jump to content
  • REvil victims are refusing to pay after flawed Kaseya ransomware attack


    Karlston

    • 642 views
    • 4 minutes
     Share


    • 642 views
    • 4 minutes

    REvil victims are refusing to pay after flawed Kaseya ransomware attack

     

    The REvil ransomware gang's attack on MSPs and their customers last week outwardly should have been successful, yet changes in their typical tactics and procedures have led to few ransom payments.

     

    When ransomware gangs conduct an attack, they usually breach a network and take time stealing data and deleting backups before ultimately encrypting the victim's devices.

     

    When a victim is shown proof of stolen data, backups are deleted, and their devices are encrypted, it creates a much stronger incentive for them to pay the ransom to restore their data and prevent the leak of data.

     

    However, the REvil affiliate responsible for this attack chose to forgo standard tactics and procedures. Instead, they used a zero-day vulnerability in on-premise Kaseya's VSA servers to perform a massive and widespread attack without actually ccessing a victim's network.

     

    This tactic led to the most significant ransomware attack in history, with over 1,500 individual businesses encrypted in a single attack.

     

    Yet, while BleepingComputer knows of two companies who paid a ransom to receive a decryptor, overall, this attack is likely not nearly as successful as the REvil gang would have expected.

     

    The reason is simply that backups were not deleted and data was not stolen, thus providing the ransomware gang little leverage over the victims.

    A victim paid a $220,000 ransom in Kaseya attack
    A victim paid a $220,000 ransom in Kaseya attack

    Cybersecurity researchers familiar with the attacks and the targeted MSPs have told BleepingComputer that victims are lucky they were attacked this way as the threat actors did not have regular unfettered access to networks and were forced to use automated methods of deleting backups.

     

    For example, Emsisoft CTO Fabian Wosar extracted the configuration for a REvil ransomware sample used in the attack, and it shows that the REvil affiliate made a rudimentary attempt of deleting files in folders containing the string 'backup.'

    Snippet of REvil ransomware configuration
    Snippet of REvil ransomware configuration

    However, this method does not appear to have been successful as an MSP and multiple victims encrypted during the attack told BleepingComputer that none of their backups were affected, and they chose to restore rather than paying a ransom.

     

    Bill Siegel, CEO of ransomware negotiation firm Coveware, told BleepingComputer that this is a similar decision for many other victims of the attack as not one of their clients has had to pay a ransom.

     

    "In the Kaseya attack, they opted to try and impact EVERY Kaseya client by targeting the software vs direct ingress to an MSP's network. By going for such a broad impact they appear to have sacrificed the step of encrypting / wiping backups at the MSP control level," Siegel told BleepingComputer.

     

    "This may end up being a bit of a saving grace, even for MSPs that had poorly segmented backups for their clients."

     

    "While it is certainly impressive that Sodin was able to pull off this exploit, we have not seen the level of disruption that typically follows a single MSP attack where the backups are intentionally wiped or encrypted, and there is no other way to recover data without paying a ransom."

     

    "The disruption is still bad, but encrypted data that is unrecoverable from backups may end up being minimal. This will translate to minimal need to pay ransoms.  "

     

    "Impacted MSPs are going to be stretched for a while as they restore their clients, but so far none of the clients we have triaged have needed to pay a ransom. I'm sure there are some victims out there that will need to, but this could have been a lot worse."

     

    Those victims who do ultimately pay a ransom will likely only do so because they had poor backups to restore from.

     

    We rarely get to write a positive story about ransomware, and while many companies have had a stressful and disruptive week, it does appear that the majority of victims should be able to get back up and running fairly quickly.

     

     

    REvil victims are refusing to pay after flawed Kaseya ransomware attack


    User Feedback

    Recommended Comments

    There are no comments to display.



    Join the conversation

    You can post now and register later. If you have an account, sign in now to post with your account.
    Note: Your post will require moderator approval before it will be visible.

    Guest
    Add a comment...

    ×   Pasted as rich text.   Paste as plain text instead

      Only 75 emoji are allowed.

    ×   Your link has been automatically embedded.   Display as a link instead

    ×   Your previous content has been restored.   Clear editor

    ×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...