A software firm made news when a flaw in its VSA software resulted in an outbreak of the REvil ransomware.
Ransomware assaults are on the rise globally, with REvil attacks being the most prevalent. According to the online security website the REvil ransomware criminals made at least $123 million and stole over 21.6 terabytes of data.
This attack’s software is used by managed service providers (MSPs) to maintain clients’ environments on their behalf. Furthermore, it frequently operates on the firm’s on-premises servers. The following ransomware assaults hit about 1,500 organisations after their systems were infected using a zero-day exploit.
The attackers openly sought a $70 million ransom in exchange for a universal decryption key.
What exactly is REvil?
REvil, an acronym for Ransomware Evil, is a threat organisation believed to be located in Russia. The organisation is responsible for a series of ransomware assaults. Moreover, many of these attacks have resulted in hefty payments from high-profile organisations. REvil is notorious for demanding large ransom payments, frequently in the millions of dollars.
REvil also features two techniques:
The organisation uses a ransomware-as-a-service (RaaS) business model. In which it offers malware and infrastructure to affiliates in return for a portion of paid ransoms. The REvil organisation is primarily responsible for developing and maintaining its software and infrastructure. While its partners are in responsible for selecting targets and executing attacks.
REvil isn’t just concerned with encrypting a victim’s data. The organisation frequently starts its attacks by stealing sensitive data and then encrypting the environment. This method gives two options for ransom:
- A deal for REvil not disclosing critical information on its public blog.
- A deal for the decryption key in order to restore access to encrypted files.
This two-pronged strategy is referred to as a double-extortion plan.
What happened to the software provider firm?
On July 2, a REvil affiliate launched a ransomware attack against over 5,000 targets in 22 countries. It effectively compromised over 60 MSPs. The assault targeted internet-connected instances of the VSA software installed on the software firm’s on-premise servers for its MSP clients.
The assault comprised zero-day vulnerabilities that the software firm had been aware of. There were seven vulnerabilities in total. Four of the vulnerabilities have been addressed, but three remained unpatched.
One of the remaining flaws enabled REvil’s affiliate to circumvent the firm’s authentication and obtain access to the virtual system administrator software. The attacker then leveraged the software’s privileged access to infect the environments of the MSP’s clients with the REvil ransomware.
According to updates, the three remaining vulnerabilities were patched. Thereby closing the door on additional attackers who may attempt to utilise the same exploit used in the REvil hack.
The Growing Threat of Supply Chain Attacks
These assaults may appear to any clients to be no more important than other ransomware attacks in recent months. However, the 60 compromised MSPs were only the beginning.
MSPs utilise VSA software to manage their clients’ environments. Because VSA servers have total access to those environments, Moreover, a hacked VSA server may be exploited to compromise all of the environments it maintains. That’s exactly what happened: each hacked VSA server was used to deploy the aforementioned malicious script to all of the client environments it maintained.
The remainder of the plot is predictable. Every machine that the REvil malware could access was encrypted.
The software provider firm stated that “the total impact of the attack was fewer than 1,500 downstream businesses.”
Meanwhile, the REvil group claimed that the hack penetrated over a million different systems. Furthermore, we’ll never know the entire scope of the hack or how many impacted organisations will pay the ransom.
This is a two-pronged assault. The REvil affiliate began by targeting MSPs using the firm’s VSA software. The organisation then exploited that access to install the REvil ransomware in the environments of their customers. This occurrence was extraordinarily difficult to predict from the standpoint of the victims. It wasn’t a flaw in their security program or even their supplier’s security program that caused it; it was a security flaw on the part of their supplier’s supplier.
What can we take away from this? The assault shows the risk presented by an organization’s supply chain. An organization’s security program might be quite successful, yet it could still fall victim to an assault like this owing to a weakness in a supplier’s systems.
Defending Against Ransomware
Organisations should take many key precautions to defend themselves from ransomware. Especially noteworthy:
Maintain off-site backups of all key systems and information in a safe location.
Effective vulnerability management (VM) is used to swiftly discover and repair known vulnerabilities in software assets.
These methods assist organisations in reducing the possibility of a ransomware breach and limiting the harm that a security breach may cause.
Looking for a vulnerability scan service? Visit now!
