In cybersecurity history, the US Independence Day weekend in 2021 is not remembered for the restful and relaxing summer celebrations you would normally associate with the 4th of July.
Instead, it’s remembered as the weekend of the notorious Kaseya ransomware Attack.
This was ransomware-with-a-difference, and the difference was the ultimate scale of the attack and the size of the side effects.
In a typical attack on Company X, critical files and data on X’s network are encrypted by the cybercriminals, disrupting X’s computer systems – often including laptops, servers and network services – and bringing business operations to a complete halt.
Then comes an extortionate demand for Y dollars in bitcoin, where Y is often in the hundreds of thousands and sometimes in the millions: “Give us the money and we’ll get your data back for you.”
When you pay, all you get is a promise
Of course, the criminals don’t actually do the time-consuming work of recovering the files they just encrypted (and even if they offered to do the hard work for you, you almost certainly wouldn’t let them back into your network anyway want ).
The huge sum you pay doesn’t actually bring your data back – it just offers you a promise to recover it by providing the passwords needed to decrypt your destroyed files.
Therefore the Sophos 2020 State of Ransomware Survey told us that the average cost of recovering from a ransomware attack for companies that had their own backups and didn’t have to pay the crooks extortion money was nearly $750,000…
…while the average cost for those who had no choice but to pay (or perhaps thought paying the crooks would somehow short-circuit the traditional complexity of disaster recovery) is almost exactly double that at just under $1,500,000 were.
You only pay the ransom for them hope recovering data that you would otherwise have lost forever, not actually completing the recovery process.
Another important and even more depressing statistic to remember comes from the Sophos 2021 ransomware reportwhere our survey found that about 1/3 of the respondents got hit and about 1/3 ended up having to pay money to the crooks.
(Of course, thanks to the 2020 data, victims would know in advance that it would almost certainly be more expensive to pay, so we assume they simply had no choice, given the dilemma of “deal with the devil or stand by.” , how the whole business implodes and costs everyone their job.)
Here we found that of those who paid to get decryption passwords, half lost at least a third of their data anyway.
Even more dramatically, a third of them have lost at least half their data, and 4% of those surveyed have done double damage and gotten nothing back – zero, zilch, nada, not a single sausage:
Unfortunately, the Kaseya Detective did not follow the usual pattern we outlined above of attacking Company X, encrypting Company X’s files, and blackmailing Company X.
Kaseya makes and sells IT management tools that can, among other things, distribute software updates.
In this case, the cybercriminals used Kaseya’s software in a so-called Supply Chain Attack.
In other words, the crooks used Kaseya’s infrastructure to spread and trigger ransomware infections on Kaseya’s customers’ computers, combining two security weaknesses to spread their malware much further than if they had attacked Kaseya alone.
The first vulnerability was CVE-2021-30116, a previously unknown bug that allowed an attacker without a password to access Kaseya’s systems management tools and inject unauthorized programs into the next update bundle distributed to clients. The second vulnerability was that the criminals intentionally installed their malicious “update” in a special directory on clients, which Kaseya deliberately marked as exempt from local malware scanning. As a result, victims unknowingly downloaded corrupted Kaseya “updates” and then unknowingly installed malware on their own computers in a location where their existing security software resided instructed not to look.
In the end, it seems the criminals had too much success, as so many victims were affected that the attackers apparently decided it wasn’t worth blackmailing them one by one.
As we said then:
In the end, it almost felt like the gang behind the Kaseya infiltration was overly successful and garnered concerted attention after the attack.
In fact, the crooks decided to go all in by offering a “one size fits all” decryptor – a sort of global site license, if you will; an all-you-can-eat file decryption buffet – for a one-off bulk payment.
The plan might have worked even if the criminals hadn’t set the fee at a staggering $70,000,000, but whether they were genuinely hoping to be paid in full, or simply rubbing their noses in the world, we may well be never experienced .
Alleged perpetrators identified
In this case, the wheels of justice began to turn quickly and effectively.
In November 2021 the USA This was announced by the Department of Justice (DOJ). that it had seized assets worth more than $6 million from a still-at-large Russian suspect named Yevgeniy Polyanin, and that Polish authorities had detained a Ukrainian suspect named Yaroslav Vasinskyi as he was crossing the border into Poland:
Poland has an extradition treaty with the US, and Vasinskyi has now been sent to Texas, where he made his first appearance before a US court to be responsible for the Kaseya attack:
In the alleged attack on Kaseya, Vasinskyi consistently caused the delivery of malicious Sodinokibi/REvil code [sic] a Kaseya product that caused the Kaseya production function to deploy REvil ransomware to “endpoints” on Kaseya customer networks. After remote access to Kaseya endpoints was established, the ransomware ran on those computers, resulting in encryption of data on computers of organizations around the world using Kaseya software.
By using the Sodinokibi/REvil ransomware, the accused is said to have left electronic notes in the form of a text file on the victims’ computers. The notes included a web address that led to an open-source privacy network called Tor and the link to a publicly-available website address that victims could visit to recover their files. Upon visiting either website, victims received a ransom note and provided a virtual currency address that they could use to pay the ransom. When a victim paid the ransom, the defendant provided the decryption key and the victim was then able to access their files. When a victim didn’t pay the ransom, the defendant usually released the victim’s stolen data or claimed that they sold the stolen data to a third party and the victims still couldn’t access their files.
Vasinskyi is charged with conspiracy to commit fraud and related computer-related activities, damaging protected computers and conspiracy to commit money laundering.
As the DOJ emphasizes in its press releases, following standard practice, the theoretical maximum sentence facing the defendants is an absurd 115 years in prison, when in reality maximum sentences are rarely imposed.
#Suspected #ransomware #attacker #Kaseya #arrives #Texas #trial