The ransomware used to attack a software company last week Kaseya used code designed to avoid computer systems whose standard languages came from the former USSR region.
The result is from a cybersecurity company Trustwave SpiderLabs. Languages that the ransomware is supposed to avoid include Russian, Armenian, Azerbaijani, Ukrainian, Belarusian, Tajik, Georgian, Kazakh, Kyrgyz, Romanian, Russian Moldova, Turkmen, Uzbek, Tatar, Syrian, and Syriac Arabic.
NBC news, who first covered Trustwave’s analysis, said the revelation underscores the freedoms ransomware gangs enjoy in Russia and other former Soviet states. These groups are largely free to speak to organizations in the West as long as they do not turn their attention closer to their homeland.
“They don’t want to upset local authorities and know that if they do it this way, they can run their business for much longer,” said Ziv Mador, vice president of security research for Trustwave SpiderLabs NBC news.
In May, cybersecurity researcher Brian Krebs revealed that another Russia-based ransomware group, DarkSide, which attacked the Colonial Pipeline in May, had used in its code a list of countries that should not be installed – in turn, to target organizations in To spare Russia, as well as former Soviet satellite states that maintain friendly relations with the Kremlin.
Kaseya relies on a slow and steady approach to recovery
Kaseya had intended restore its SaaS services however, it has now been postponed to Sunday the 11th at 9 p.m. BST.
In a video message the company page on the topic, CEO Fred Voccola said it was his decision to postpone, calling it “the hardest decision of my career”.
“We had all of the vulnerabilities managed and were comfortable with the release, but third-party engineers made suggestions to add extra layers of protection to keep us safe from things we couldn’t foresee.”
Voccola emphasized that the delay in recovery would make VSA a safer product once it is back up and running.
He also described a cash assistance program for affected customers and said royalty payments will be postponed.
Although the US government has not yet definitively attributed the Kaseya attack to a specific group, the Russian-speaking group will REvil took responsibility earlier this week.
The group – likely REvil – launched their attack on Dec.nd July. It targeted approximately 50 Managed Services Providers (MSPs) by exploiting a zero-day vulnerability (CVE-2021-30116) in Kasyea’s VSA tool.
A researcher from the Dutch Institute for Vulnerability Disclosure (DIVD) had already reported the bug to Kaseya, but the hackers struck while the company was writing a patch.
REvil has been extremely active over the past year. In 2020, it began offering stolen data for sale on an auction site; and blackmailed $ 11 million from just last month Meat packaging giant JBS.
The attack on Kaseya came less than a month after a summit meeting between President Biden and Russian President Vladimir Putin in Geneva, at which both heads of state and government discussed the issue of cybersecurity in detail.
At the meeting, Biden called on Putin not to give a safe haven to ransomware groups that launch attacks on American companies.
On Wednesday, White House press secretary Jen Psaki said President Biden was considering all options to respond to the recent attack.
“In terms of operational considerations, it is obviously not in our interest to preview this or our blows, as I like to say. The president has a number of options should he decide to take action,” said Psaki.
#Kaseya #attack #coded #bypass #Russian #computer #systems #Kaseya #delaying #SaaS #recovery