Kaseya VSA Ransomware Attack
   HOME

TheInfoList



Click Here for Items Related To - Kaseya VSA Ransomware Attack
OR:
Kaseya VSA Ransomware Attack on:   [Wikipedia]   [Google]   [Amazon]

On 2 July 2021, a number of
managed service provider Managed services is the practice of outsourcing the responsibility for maintaining, and anticipating need for, a range of processes and functions, ostensibly for the purpose of improved operations and reduced budgetary expenditures through the ...
s (MSPs) and their customers became victims of a
ransomware Ransomware is a type of malware that Encryption, encrypts the victim's personal data until a ransom is paid. Difficult-to-trace Digital currency, digital currencies such as paysafecard or Bitcoin and other cryptocurrency, cryptocurrencies are com ...
attack perpetrated by the REvil group, causing widespread downtime for over 1,000 companies. The attack was carried out by exploiting a vulnerability in VSA (Virtual System Administrator), a
remote monitoring and management Remote monitoring and management (RMM) is the process of supervising and controlling IT systems (such as network devices, desktops, servers and mobile devices) by means of locally installed agents that can be accessed by a management service pr ...
software package developed by
Kaseya Kaseya Limited ( ) is a company headquartered in Miami that develops software for network monitoring, system monitoring, and other information technology applications. It is majority-owned by Insight Partners and owns the naming rights to the Kas ...
. Two suspects were identified and one sentenced.


Timeline and impact

On March 23, DIVD researche
Wietse Boonstra
found six zero-day vulnerabilities in Kaseya VSA (Virtual Systems Administrator). The DIVD warned Kaseya and worked together with company experts to solve four of the seven reported vulnerabilities. The DIVD later wrote a
KASEYA VSA, behind the scenes
blog about finding the 0-days. Despite the advance warning from DIVD, Kaseya did not patch all the reported bugs before they were exploited by REvil to deploy ransomware. An authentication bypass
vulnerability Vulnerability refers to "the quality or state of being exposed to the possibility of being attacked or harmed, either physically or emotionally." The understanding of social and environmental vulnerability, as a methodological approach, involves ...
in the software allowed attackers to compromise VSA and distribute a malicious payload through hosts managed by the software, amplifying the reach of the attack. In response, the company shut down its VSA
cloud In meteorology, a cloud is an aerosol consisting of a visible mass of miniature liquid droplets, frozen crystals, or other particles, suspended in the atmosphere of a planetary body or similar space. Water or various other chemicals may ...
and
SaaS Software as a service (SaaS ) is a cloud computing service model where the provider offers use of application software to a client and manages all needed physical and software resources. SaaS is usually accessed via a web application. Unlike oth ...
servers and issued a security advisory to any customers, including those with
on-premises On-premises software (abbreviated to on-prem, and often written as "on-premise") is installed and runs on computers on the premises of the person or organization using the software, rather than at a remote facility such as a server farm or cloud ...
deployments of VSA. Initial reports of companies affected by the incident include Norwegian financial software developer
Visma Visma (acronym for ''Visual management'') is a privately held company headquartered in Oslo, Norway, that provides cloud accounting, payroll, invoicing, and HR business software products. The majority of the company is owned by HgCapital, a priv ...
, who manages some systems for Swedish supermarket chain
Coop Coop or Co-op most often refer to: * Chicken coop or other animal enclosure * Cooperative or co-operative ("co-op"), an association co-operating for mutual social, economic or cultural benefit ** Consumer cooperative ** Food cooperative ** Housin ...
. The supermarket chain had to close down its 800 stores for almost a week, some in small villages without any other food shop. They did not pay ransom, but rebuilt their systems from scratch after waiting for an update from Kaseya. The REvil ransomware gang officially took credit for the attack and claimed to have encrypted more than one million systems during the incident. They initially asked for a $70 million ransom payment to release a universal decryptor to unlock all affected systems. On July 5, Kaseya said that between 800 and 1,500 downstream businesses were impacted in the attack. After a 9 July 2021 phone call between United States president
Joe Biden Joseph Robinette Biden Jr. (born November 20, 1942) is an American politician who was the 46th president of the United States from 2021 to 2025. A member of the Democratic Party (United States), Democratic Party, he served as the 47th vice p ...
and Russian president
Vladimir Putin Vladimir Vladimirovich Putin (born 7 October 1952) is a Russian politician and former intelligence officer who has served as President of Russia since 2012, having previously served from 2000 to 2008. Putin also served as Prime Minister of Ru ...
, Biden told the press, "I made it very clear to him that the United States expects when a ransomware operation is coming from his soil even though it’s not sponsored by the state, we expect them to act if we give them enough information to act on who that is." Biden later added that the United States would take the group's servers down if Putin did not. On 13 July 2021, REvil websites and other infrastructure vanished from the internet. On 5 July 2021, REvil announced that they would release a universal decryptor in exchange 70 million USD paid in
Bitcoin Bitcoin (abbreviation: BTC; Currency symbol, sign: ₿) is the first Decentralized application, decentralized cryptocurrency. Based on a free-market ideology, bitcoin was invented in 2008 when an unknown entity published a white paper under ...
. On 23 July, Kaseya announced it had received a universal decryptor tool for the REvil-encrypted files from an unnamed "trusted third party" and was helping victims restore their files. On 8 October 2021, Ukrainian national Yaroslav Vasinskyi was arrested in Poland in connection with the ransomware attack, pending extradition to the United States. On 8 November 2021, the
United States Department of Justice The United States Department of Justice (DOJ), also known as the Justice Department, is a United States federal executive departments, federal executive department of the U.S. government that oversees the domestic enforcement of Law of the Unite ...
unsealed indictments against Yaroslav Vasinskyi, who was still in Polish custody, and another suspect — Russian national Yevgeniy Polyanin. Vasinskyi was charged with conducting ransomware attacks against multiple victims including Kaseya, facing a maximum sentence of 115 years in prison. Polyanin was charged with conducting ransomware attacks against multiple victims including Texas businesses and government entities, facing a maximum sentence of 145 years in prison. In addition, the United States seized over $6 million in ransomware proceeds and collaborated with international law enforcement agencies and private cybersecurity firms to disrupt REvil’s operations. On 3 March 2022, Yaroslav Vasinskyi was extradited to the United States and
arraigned Arraignment is a formal reading of a criminal charging document in the presence of the defendant, to inform them of the criminal charges against them. In response to arraignment, in some jurisdictions, the accused is expected to enter a plea; in ...
in Texas a few days later. On 1 May 2024, Yaroslav Vasinskyi was sentenced to 13 years and seven months in prison and ordered to pay over $16 million in restitution for "his role in conducting over 2,500 ransomware attacks and demanding over $700 million in ransom payments". As of 23 June 2024, Yevgeniy Polyanin was still wanted by the FBI and was believed to be living in Russia.


References

{{Hacking in the 2020s 2021 in computing