Kaseya and REvil: two sides of the supply-chain risk story

The ransomware problem has escalated at a steady pace over the last few years, with that upward slope punctuated by a few larger spikes as major incidents hit the headlines.

July’s Kaseya incident looks likely to be one of the biggest of those spikes, with at least 1000 and, by some reports, as many as 2000 small and medium businesses and organizations impacted. The subsequent disappearance of the perpetrators, the REvil ransomware-as-a-service group, from their various online locations is likely only temporary, but both phases of the story highlight once again the issue of trust in third-party providers.

Once Kaseya’s “Virtual System Administrator” (VSA) remote management solution was penetrated by malicious hackers, their entire customer base was put at risk of attack via the very systems they hired in to keep their networks patched, updated, and secure. Having given the MSP access for monitoring and management purposes, these small firms, most of them lacking in-house technical teams capable of building and running everything on their own, found their data stolen and their systems crippled via the “trusted channel” that was meant to form a key part of their defense.

We’ve talked before about the significance of supply-chain vulnerabilities, and the difficulty of managing the risks imposed by placing so much trust in third-party providers, in the wake of the SolarWinds and Hafnium incidents. Here we are again – another provider relied on by huge numbers of companies around the world found to be less than perfectly reliable. As usual, the advice is to get some expert guidance before putting more than a few of your eggs into any given basket.

The initial penetration of Kaseya’s systems was likely carried out by independent hackers, who then teamed up with the renowned REvil group to carry out the final attacks and operate the complex process of extorting large numbers of victims.

REvil provided not only the malware deployed via Kaseya’s VSA product, but also negotiated both with Kaseya themselves (demanding $70 million for a mass decryptor covering all of Kaseya’s affected clients, which was not paid) and with individual companies impacted. They would also have managed the distribution of any funds harvested from the attack.

However, with so much public attention grabbed by the incident and its side-effects, which included the closure of 800 branches of a Swedish grocery chain. US President Joe Biden was moved to stand up and speak out about the growing ransomware epidemic. His strongly-worded warning to Russian leader Vladimir Putin, threatening to take action if Russia did not, was not expected to have much impact – Russia has long been tolerant of cybercriminals operating from its territory, working on an unspoken agreement that as long as Russian firms and citizens are not targeted, the crooks can do pretty much what they want.

It was a surprise to most observers, then, when the REvil group’s online operations, on both the normal and “dark” webs, suddenly disappeared on July 13th. It’s unlikely that the US had followed through on its threat, given the lack of gloating press releases, and even less likely that Putin’s government did more than put in a friendly word of warning to REvil that things were getting a little too much attention. The most likely story is that REvil’s operators decided to reduce their profile a little, to do a little re-branding and retrenching before getting back to normal.

With all services offline, some of the Kaseya victims, who paid up to get their systems restored but found the decryptors provided failed to work, are now unable to get support or further assistance. It’s even possible that some of those “affiliate” hackers who made the initial breach didn’t get paid their share of the takings. The victims had no choice over who to negotiate with of course, but those on the other side who’ve found the rug pulled from under them may also be regretting their choice of who to rely on to run key parts of their dubious “business”.

To ensure your supply chain is not putting your organization at additional risk, get in touch with the risk assessment experts at TBG Security.

Previous ArticleIoT device makers wanting to better security standards