Cyber Security Experts Analysis Of REvil Ransomware: Lethal Mix With Powerful Results

BACKGROUND:

Following the news that REvil ransomware gang has executed a mass supply chain attack through management provider Kaseya and demanded $70m paid in Bitcoin in return to unlock all the files. Cybersecurity experts commented below why combining a supply chain attack with ransomware is a lethal mix with powerful results.

Experts Comments

July 06, 2021
Busra Demir
Senior Solutions Architect
HackerOne

Supply chain attacks remind us that you are only as secure as your weakest link, as many of Kaseya’s customers are now experiencing. This attack is an important reminder for the companies who deliver distributed services as they are under the spotlights of hackers who are looking for a bigger impact on specific industries.

As an MSP you are not only responsible for your business but that of your customer too. Instead of attacking multiple companies and exploiting their various vulnerabilities

.....Read More

Supply chain attacks remind us that you are only as secure as your weakest link, as many of Kaseya’s customers are now experiencing. This attack is an important reminder for the companies who deliver distributed services as they are under the spotlights of hackers who are looking for a bigger impact on specific industries.

As an MSP you are not only responsible for your business but that of your customer too. Instead of attacking multiple companies and exploiting their various vulnerabilities or looking for a 0-day in the wild, the cybercriminals took advantage of a company that offers managed services to thousands of businesses to distribute the ransomware and take them down all at once.

The news that Kaseya was working with researchers on the 0-day fix shows how much it came down to a race against the clock. Coordinated vulnerability disclosure helps organisations understand what weaknesses they have but it all hinges on how fast those vulnerabilities can be fixed. It’s no surprise that so many organisations measure the success of their security testing programs on how fast they can fix the vulnerabilities surfaced.

  Read Less
July 06, 2021
Christos Betsios
Cyber Operations Officer
Obrela

Definitely the largest ransomware attack in history; it is really brilliant to combine a supply chain attack with a ransomware attack. Especially when you compromise a solution that is designed to allow administration of systems with high level privileges. It was not long ago that we had encountered the SolarWinds supply chain attack and the industry had just started getting over it and here we go again phasing a similar situation with Kaseya’s IT management software tool, largely used in

.....Read More

Definitely the largest ransomware attack in history; it is really brilliant to combine a supply chain attack with a ransomware attack. Especially when you compromise a solution that is designed to allow administration of systems with high level privileges. It was not long ago that we had encountered the SolarWinds supply chain attack and the industry had just started getting over it and here we go again phasing a similar situation with Kaseya’s IT management software tool, largely used in Managed Service Provider (MSP) environments. Even worse this is not something new, REvil’s predecessor Gandcrab has done it twice back in 2019 by using Kaseya’s software to launch their attacks. The key is always to be prepared for the worst-case scenario, even if proper patch management and vulnerability management programs are in place, we are not secure anymore. Attackers will continue to try to compromise big software vendors and distribute their malicious code via them. MDR services are more necessary than ever since they enable a better understanding of risks and help enterprises to respond to detected threats more rapidly.

  Read Less
July 06, 2021
Erwan Keraudy
CEO
CybelAngel

It's not the first time a ransomware gang has attacked a service provider, but it's the biggest attack by far. Like most large attacks, they struck during a major holiday when companies are least prepared for incident response. 

Cybercriminals attacking victims through a supplier is an ongoing trend that we've observed over the last few years. We have seen that with each and every case that occurs, the magnitude of attacks is increasing. This is largely attributed to the fact that, as

.....Read More

It's not the first time a ransomware gang has attacked a service provider, but it's the biggest attack by far. Like most large attacks, they struck during a major holiday when companies are least prepared for incident response. 

Cybercriminals attacking victims through a supplier is an ongoing trend that we've observed over the last few years. We have seen that with each and every case that occurs, the magnitude of attacks is increasing. This is largely attributed to the fact that, as an organisation's supply chain and digital ecosystems expand, their attack surface grows exponentially along with it. In a few months from now, attacks like SolarWinds may look comparatively small.  

Ransomware can't be called a hypothetical, systemic risk anymore. It's now a systemic issue that is only getting bigger. This is yet another clear illustration of how cybersecurity impacts physical security and the daily lives of all of us, at scale.   

Unfortunately, we expect more and more cases like this to occur. As companies increasingly entrust a large part of their services to single points of failure - think AWS or Google - this is becoming a problem and as such, companies become targets of choice.  

This instance like many, highlights the increasing need for early threat detection capabilities and "ransomware preparedness". Businesses urgently need to get ahead of threats before attackers beat them to it”. 

  Read Less
July 08, 2021
Miles Tappin
VP of EMEA
ThreatConnect

This latest ransomware attack by REvil raises the stakes significantly for businesses and government agencies that have not shifted to a risk-led approach to cybersecurity.

The time is now to begin quantifying cyber risk in financial and operational terms, integrating real-world cyber threat intelligence, and automating and orchestrating responses. Organisations must adopt this risk-threat-response approach so they can better understand the potential financial and operational impact of the

.....Read More

This latest ransomware attack by REvil raises the stakes significantly for businesses and government agencies that have not shifted to a risk-led approach to cybersecurity.

The time is now to begin quantifying cyber risk in financial and operational terms, integrating real-world cyber threat intelligence, and automating and orchestrating responses. Organisations must adopt this risk-threat-response approach so they can better understand the potential financial and operational impact of the risks they face, the vulnerabilities being targeted and the adversaries attacking the sector.

If companies share information, while also quantifying the risk they face as a company, they can better prepare themselves, and prevent breaches in the long term.

 

  Read Less
July 06, 2021
Max Locatelli
Regional Director Western Europe
Infoblox

The REvil ransomware attack, which paralysed companies such as the supermarket chain Coop in Sweden, shows that once again anyone can be targeted. Instead of being blackmailed by cyber criminals, organisations need to proactively prepare defenses to better mitigate against paying a multiple million dollar ransom. After all, it is not only the possible loss of data that causes enormous damage to companies, but also the long-term consequences due to the loss of trust on the side of customers and

.....Read More

The REvil ransomware attack, which paralysed companies such as the supermarket chain Coop in Sweden, shows that once again anyone can be targeted. Instead of being blackmailed by cyber criminals, organisations need to proactively prepare defenses to better mitigate against paying a multiple million dollar ransom. After all, it is not only the possible loss of data that causes enormous damage to companies, but also the long-term consequences due to the loss of trust on the side of customers and partners.

To prevent such damage, companies should rethink their threat prevention strategies. Back-ups are a good option for limiting damage by enabling the IT system to be reset, however, it is much better for companies to be able to detect and defend against the attacks at an early stage. Network visibility is indispensable for this and companies that want to protect their business proactively and future-proof in the digital world should take a look at DNS security solutions. Given that a hacker's communication with the malware in the victim's system also runs via the DNS, comprehensive insights can help to detect and combat dangerous communication at an early stage - regardless of how large the company is.

  Read Less
July 06, 2021
Adam Enterkin
SVP, EMEA
BlackBerry

Acting as a RaaS, REvil relies on affiliates or partners to perform its attacks. The REvil developers receive a percentage of all proceeds from ransom payments. Because the ransomware is distributed by different entities, the initial infection vector can vary; typically, this is either via phishing campaigns, brute force attacks to compromise RDP, or through software vulnerabilities. REvil has not yet been caught, and ransomware-as-a-service will only continue to grow.  

However, organisations

.....Read More

Acting as a RaaS, REvil relies on affiliates or partners to perform its attacks. The REvil developers receive a percentage of all proceeds from ransom payments. Because the ransomware is distributed by different entities, the initial infection vector can vary; typically, this is either via phishing campaigns, brute force attacks to compromise RDP, or through software vulnerabilities. REvil has not yet been caught, and ransomware-as-a-service will only continue to grow.  

However, organisations can avoid becoming victims by stopping malware at the exploitation stage through increasing resilience, reducing infrastructure complexity, and streamlining security management. Endpoint detection and response (EDR) focused solutions often take action too late and cannot always stop breaches. Prevention is the best strategy; stopping attacks before they execute. This is entirely possible with next generation solutions that use AI to identify and block malware. Organisations must lead with a prevention-first approach using the fullest capabilities of AI.

  Read Less
July 06, 2021
Natalie Page
Cyber Threat Intelligence Analyst
Talion

This attack came just in time for companies across the US to log-off, ready to enjoy the long weekend for Independence Day. This meant less staff would be available to react and attempt to slow down the spread of this incident. The attack has been confirmed as the largest ransomware attack to be conducted late at night, over a weekend.

The current advice on Kaseya’s website is for customers to keep their VSA servers offline until further instruction and that the patch shall be released prior

.....Read More

This attack came just in time for companies across the US to log-off, ready to enjoy the long weekend for Independence Day. This meant less staff would be available to react and attempt to slow down the spread of this incident. The attack has been confirmed as the largest ransomware attack to be conducted late at night, over a weekend.

The current advice on Kaseya’s website is for customers to keep their VSA servers offline until further instruction and that the patch shall be released prior to these customers restarting their servers. Compromised customers should await contact from Kaseya, and they should also be aware of the compromise detection tool that has been released by Kaseya for download to analyse their customers' systems.

  Read Less
July 06, 2021
Steven Hope
CEO and co-founder
Authlogics

Ransomware is all the rage at the moment, and because it is so profitable it isn't going away any time soon. Some attacks are achieved through known security flaws in unpatched systems, many are successful simply thanks to poor system design and weak authentication. Keeping patches up to date shouldn’t be hard to do in 2021 as it has been an industry best practice for decades. However, effective tools have been limited until recently to effectively manage the full password lifecycle. Lack of

.....Read More

Ransomware is all the rage at the moment, and because it is so profitable it isn't going away any time soon. Some attacks are achieved through known security flaws in unpatched systems, many are successful simply thanks to poor system design and weak authentication. Keeping patches up to date shouldn’t be hard to do in 2021 as it has been an industry best practice for decades. However, effective tools have been limited until recently to effectively manage the full password lifecycle. Lack of proper password security is what affected the Colonial Pipeline in the US too, and they won’t be the last. Changing your password every month or so and making it more “complex” simply is not enough. Even if you have MFA, the password is still often heavily used. It is critical to constantly monitor new and existing passwords to see if they are known to be breached, if not you are leaving the front door wide open. Luckily solutions do exist that solve this problem, although they are not commonly deployed as people often assume they won't get hit next.

  Read Less
July 06, 2021
Kelvin Murray
Senior Threat Research Analyst
Webroot

SMBs are the number one target for cybercriminals and account for most of the criminal cash made. Breaching a managed service provider (MSP) is a great way to infect many SMB businesses with ransomware and other nasties quickly. Considering the trust businesses put into their MSP and the high level of access they are often afforded, it's not hard to see how breaching an MSP could lead to the breaching of their customers.

In 2019 itself, 13 MSPs were victims of a breach that resulted in their

.....Read More

SMBs are the number one target for cybercriminals and account for most of the criminal cash made. Breaching a managed service provider (MSP) is a great way to infect many SMB businesses with ransomware and other nasties quickly. Considering the trust businesses put into their MSP and the high level of access they are often afforded, it's not hard to see how breaching an MSP could lead to the breaching of their customers.

In 2019 itself, 13 MSPs were victims of a breach that resulted in their clients being hit with ransomware. Although poisoned updates were responsible in this case, we would still recommend that clients of MSPs always have the latest versions of their clients installed and those from remote monitoring and management software (RMMs) etc.

Backups are essential in cases such as these and others, and we would recommend that all organisations have a plan for one or more major machines being completely put out of action. 2021 has seen the world political and legal heavyweights weigh in on what is truly a global crisis (ransomware), and one would hope that we will see progress in this space soon.

  Read Less
July 06, 2021
Jake Moore
Cybersecurity Specialist
ESET

Combining a supply chain attack with ransomware is a lethal mix with powerful results. Both lines of attack are feared by those in charge of their networks but when fused together, the victims are multiplied and the money involved can be astronomical. There will be huge initial pressures to restore the affected business networks but many will be forced to pay the demands simply because it remains the cheaper option.  

The supply chain attack is a cunning way to enter a network on the back of a

.....Read More

Combining a supply chain attack with ransomware is a lethal mix with powerful results. Both lines of attack are feared by those in charge of their networks but when fused together, the victims are multiplied and the money involved can be astronomical. There will be huge initial pressures to restore the affected business networks but many will be forced to pay the demands simply because it remains the cheaper option.  

The supply chain attack is a cunning way to enter a network on the back of a third party’s prior trust and the damage has be shown to be catastrophic. Although it may have taken the attackers more time and sophistication to inject the malicious code into the supplier’s software, once in, they can piggy back into every connected vendor’s software unnoticed and unscathed.  

Fingers will be pointed and no doubt insurance calls will be made but this new wave of organised and tailored attacks is something we will have to come to expect in the future.

  Read Less
What do you think of the topic? Do you agree with expert(s) or share your expert opinion below.
Be part of our growing Information Security Expert Community (1000+), please register here.