How REvil Ransomware Took Out Thousands of Business at Once

On Friday, ransomware infected hundreds, if not thousands, of businesses around the world with ransomware. This included a railway and pharmacy chain as well as hundreds of stores of Sweden's Coop grocery brand. The attack was carried out by the notorious Russia-based criminal gang REvil. It involved ransomware as well as a so-called supply-chain attack. It is now clearer how they did it.Some details were already known Friday afternoon. The attackers exploited a flaw in Kaseya's update mechanism to spread ransomware to untold numbers of targets. The company develops software to manage business networks and devices. It then sells that software to other companies called managed services providers (MSPs). The attackers could use Kaseya's trusted distribution mechanism to seed ransomware and then watch the dominos falling as MSPs distribute malware to customers.Security researchers had gathered crucial details by Sunday about how the attackers gained and used that initial foothold.This is both interesting and worrying because REvil used trusted apps in all instances to gain access to the targets. Sean Gallagher, senior threat researcher at Sophos, said that ransomware actors often need multiple vulnerabilities at various stages in order to execute their attack or to access the network to reveal administrator passwords. Sophos released new information on the attack on Sunday. This is an improvement on what ransomware attacks typically look like.Trust ExerciseThe attackers exploited a vulnerability in Kaseya's automated update system for remote monitoring and management known as VSA. It is not clear if attackers took advantage of the vulnerability in Kaseya's central systems. It is more likely that the attackers exploited VSA servers managed through MSPs, and then pushed malicious updates to MSP customers. REvil seems to have customized the ransom demands and some of their attack techniques based on the target rather than adopting a generic approach.It was particularly unfortunate that the attack occurred at a time when security researchers had already discovered the vulnerability in Kaseya's update system. Wietse Boonstra, of the Dutch Institute for Vulnerability Disclosure, was working with Kaseya in order to test and develop patches for the flaw. Although the fixes were nearing release, they hadn't been deployed when REvil struck.We tried our best, and Kaseya did her best," Victor Gevers, a researcher at the Dutch Institute for Vulnerability Disclosure, said. It's a simple vulnerability to find, I believe. This is probably why attackers won at the end sprint.The vulnerability was exploited by attackers to send a malicious payload via vulnerable VSA servers. They also targeted the VSA agent software running on Windows devices owned by those MSP customers. VSA working folders are typically a trusted garden that is hidden within the machines. This means that malware scanners and security tools can be instructed to ignore what they're doing, providing valuable cover for hackers who have compromised them.After the malware was deposited, it ran a series commands to hide malicious activity from Microsoft Defender. This malware-scanning tool is built into Windows. The malware then instructed Kesaya to run an expired, legitimate version of Microsofts Antimalware Services, which is a component of Windows Defender. This outmoded version can be used by attackers to sideload malicious codes, allowing them to bypass Windows Defender in the same way that Luke Skywalker can pass Stormtroopers when he is wearing their armor. The malware started encrypting files on victims' computers. Even further, it made it difficult for victims to restore data backups.