ransomware – Malware University

Hackers attributed to the REvil group recently exploited an (internally) known 0day in Kaseya software to demand ransom worth 70,000,000 USD affecting at least 1000 businesses.

On Friday, July 2, 2021, the incident response team from Kaseya became aware of a security incident related to their VSA software. Hackers used the software to deploy the REvil ransomware into many victims’ environment. The malicious code is side-loaded by a fake Windows Defender app, encrypting files in return for ransom. “Kaseya VSA Agent Hot-fix” is the distributed name of the malware, which was also seen attempting to disable Microsoft Defender Real-Time Monitoring via Powershell.

The group sent out a message on July 2:

“On Friday (02.07.2021) we launched an attack on MSP providers. More than a million systems were infected. If anyone wants to negotiate about universal decryptor – our price is 70,000,000$ in BTC and we will publish publicly decryptor that decrypts files of all victims, so everyone will be able to recover from attack in less than an hour."

How did the REvil group know a patch was forthcoming? Did they? It’s improbable this is a coincidence.

Assuming it is not, how were they alerted to a forthcoming patch which likely spurred an immediate decrease in their attack timeline? Insider alerting them? Prior compromise and a great analysis team?

Anything is possible when tens of millions of dollars, or more, are at stake. The most expensive 0days ($1,000,000+) are a drop in the bucket for groups eyes to rake in millions from one successful operation.

Former employees raised several software security concerns from 2017 through 2020 to company leaders. These concerns were not fully addressed, as sales were the focus of the business at the expense of other priorities. One employee sent a 40-page memo detailing many security concerns related to the software leading to his firing two weeks later. Customer passwords were stored in clear text on third-party platforms, among other bad habits.

Shame on Kaseya. Likely one of many professional software firms and IT management companies which fail to adhere to even basic security and administration best practices.

Ransomware is taking the world by storm since the lockdowns of 2020. With record unemployment due to forced halting of economies and movement around the globe, without doubt some programmers with notable skill were negatively affected. Surely some have found homes in the rising number of groups engaging in ransoming of data and service.

Recent cases such as the Colonial Pipeline and Norsk Hydro hacks, with payouts of $4.4 million and $71 million respectively, show how lucrative such operations are. IT security operations are usually underfunded and notoriously understaffed, if not in headcount then certainly in talent. Such teams are classically seen as “cost centers” to financial types. Even in good times, corporate boards are unwilling to spend the necessary cash to find or develop talent necessary to handle such threats.

As explained by a close contact high up in the financial industry, “Why would we pay millions for talent when it’s cheaper for us to have an adequate insurance policy? It’s not like business leaders are under any threat to themselves [legally] or their companies from a hack.” Risk is calculated by actuaries. So long as their risk is perceived as covered, IT security remains a distant concern only insomuch as governance mandates.

Cyber liability insurance is starting to price in the risk of ransomware by utilizing “sub-limits”. For example, such stipulations may only pay out $25,000 for ransomware incidents, despite the insurance having potentially multi-million dollar limits for other cyber incidents. Without such initiatives companies may never have incentive to practice security measures which could prevent such incidents.

Governing bodies, such as the state of New York, may move to ban municipalities from paying out ransom demands, opting for initiatives such as a “Cyber Security Enhancement Fund” which limits ransom payouts to instead focus on upgrading security posture. The US Department of Treasury has warned companies that facilitate ransomware payments as a third party may face future economic sanctions for encouraging crime and future ransomware payment demands.

The astute reader may wonder how mature organizations are still being crippled by having mainline systems disrupted by ransomware, as data backup policies and procedures were well-defined and put in place since at least the 1990s. The current predicament proves the point that many (most?) organizations, even cyber-conscious ones, are failing to adequately cover basic system administration and networking practices. With the “cloud” now opening up perimeters worldwide, the effort for corralling systems and assets are more difficult.

History has cooled worries of executives about negligence and responsibility for data breaches and hacks. Equifax, one of the largest credit bureaus in the USA, received a mere slap on the wrist after hundreds of millions of peoples’ records were stolen. SolarWinds executives blamed a lowly intern for mismanagement of their server credentials. With no incentive for improvement for improvements sake and no pain for neglecting to secure infrastructure digitally, expectations of improved security posture for most organizations seem dire.

How many employees are bribed by outside forces to simply “run a program or command” from their work machines? Russian Egor Kriuchkov was found guilty of bribing a Tesla employee for $1,000,000 to place ransomware in the company’s battery plant network in Nevada. With such large ransoms being paid and the relative ease of insider threat attack models, expect threat actors to increasingly lean on this method in the future.

Tag: ransomware

Kaseya Bullseye

Ransomware, Insurance, Negligence, and Insiders