REvil ransomware actors attack Kaseya in supply chain attack

Attackers are actively exploiting the Kaseya VSA endpoint monitoring software to conduct a widespread supply chain attack targeting a number of Managed Service Providers (MSPs), according to multiple reports. Organizations usually use Kaseya VSA to perform centralized orchestration of systems in customer environments.

Attackers first infected victims via a malicious automatic update to the software, eventually delivering the REvil/Sodinokibi ransomware. Once active in victim environments, the ransomware encrypts the contents of systems on the network, causing widespread operational disruptions to a variety of organizations that use this software. REvil operates using a ransomware-as-a-service (RaaS) model, with affiliates leveraging a variety of tactics, techniques and procedures (TTPs) to infect victims and coerce them into paying to regain access to systems and data that are affected by the ransomware. In many cases, backup servers are also targeted during network-based ransomware attacks highlighting the importance of a regularly tested offline backup and recovery strategy. A text-based README is written into various directories on the system and functions as a ransom note. An example of one of these files can be seen below:

https://blog.talosintelligence.com/2021/07/revil-ransomware-actors-attack-kaseya.html


Russian-based hackers launch cyberattack on at least 200 IT management firms in the US and demand $5M in ransom despite Biden's threat to Putin of 'retaliation'

The REvil gang, a major Russian-speaking ransomware syndicate, appears to be behind the attack
The attack came despite President Joe Biden's threat of 'retaliation' to Russian President Vladimir Putin if they continued
The massive scale of the attack paralyzed the networks of at least 200 U.S. companies on Friday
John Hammond of the security firm Huntress Labs said the criminals targeted a software supplier called Kaseya
Kaseya earlier in the day had said in a press release that the 'potential attack' had been ' limited to a small number of on-premise customers only'

...

Brett Callow, a ransomware expert at the cybersecurity firm Emsisoft, said he was unaware of any previous ransomware supply-chain attack on this scale. There have been others, but they were fairly minor, he said.

'This is SolarWinds with ransomware,' he said.

https://www.dailymail.co.uk/news/article-9751783/Russian-based-hackers-launch-cyberattack-200-management-firms-US.html