The two largest threats to cybersecurity are supply chain attacks and ransomware attacks, but a combination of the two creates a new sinister breed of cyber threat.
The target was Florida-based IT company Kaseya. REvil compromised Kaseya VSA servers and are currently using them to deploy and distribute their ransomware.
The ransomware encryptors are contained in the file agent.exe. When this file is activated, both an old yet legitimate, copy of Windows Defender MsMpEng.exe, and the encryptor payload mpsvc.dll. are dropped into the C:\Windows path to DLL sideload - a process where a malicious DLL file is loaded in place of a legitimate one.
Several hundred organizations were impacted, including Kaseya VSA software customers and multiple Managed Service Providers (MSP) that use the VSA solution.
Sweden suffered a heavy blow. State railways and a major pharmacy chain were affected, as well as 800 stores from the grocery chain Coop.
The Cybersecurity & Infrastructure Security Agency (CISA) recommends impacted organizations follow Kaseya’s advice of immediately shutting down all VSA servers until further notice
The cyberattack occurred on the Friday of the 4th of July holiday weekend, sparking speculation that the attack was motivated by political tensions rather than financial gain, like most ransomware attacks.
REvil is a family of ransomware developed by a Russian cybercriminal group. The ransomware is detected in antivirus scans as Ransom.Sodinokibi. REvil threat actors have achieved a reputation of launching some of the most devastating ransomware attacks against high-profile organizations.
Investigations are still ongoing, but the impact of this cyberattack is expected to be colossal.
Each confirmed victim so far provides services to customers, that might eventually discover that they’ve also been breached. Such a pernicious domino effect occurred with the Accellion supply chain attack.
But unlike historical supply chain attacks, this one is very different. Victims are being infected with ransomware, where sensitive data is encrypted and only liberated if a ransom is paid, which, on average costs $170,000.
If victim behavior aligns with statistical trends, almost half will pay a ransom, funding future attacks, and only 29% will restore their seized files, whether or not a ransom is paid.
These figures, as disturbing as they are, only correspond to ransomware attack events. They could shift dramatically when the destructiveness of ransomware is coupled with the pervasiveness of a supply chain attack.