Ransomware and Supply Chain Attack
A ransomware attack compromised Kaseya, a software development company providing IT management and support services delivered in MSP mode. Following the pattern observed during the SolarWinds incident, threat actors targeted the software vendor by injecting malicious code into a fraudulent product update.
By compromising Kaseya, the attackers gained access to the networks of all customers. This attack category is designated a “Supply Chain Attack“.
U.S. President Joe Biden addressed the cyber incident, stating: “Initial assessment suggested it was not the Russian government, but we are not certain”.
Impact Assessment
This ransomware attack resulted in operational disruption affecting at least a dozen IT support firms relying on Kaseya’s remote management tool. In at least one case, threat actors demanded a ransom of 5 million dollars. Estimates indicate approximately 1 000 small and medium-sized enterprises were impacted by the attack.
Malware analysis conducted by security firm Emsisoft attributed the payload to REvil, the ransomware operation that U.S. officials have linked to the JBS Foods compromise.
Technical Intelligence
The ransomware variant deployed for system encryption is REvil. The following technical indicators and IOCs have been associated with this campaign and are tracked through Cybersecurity Advisory channels.
File names associated with compromise:
c:\kworking\agent.exe C:\kworking\agent.crt
File hashes:
36a71c6ac77db619e18f701be47d79306459ff1550b0c92da47b8c46e2ec0752 7ea501911850a077cf0f9fe6a7518859 e1d689bf92ff338752b8ae5a2e8d75586ad2b67b e2a24ab94f865caeacdf2c3ad015f31f23008ac6db8312c2cbfb32e4a5466ea2 0299e3c2536543885860c7b61e1efc3f 682389250d914b95d6c23ab29dffee11cb65cae9 df2d6ef0450660aaae62c429610b964949812df2da1c57646fc29aa51c3f031e 835f242dde220cc76ee5544119562268 8118474606a68c03581eef85a05a90275aa1ec24 dc6b0e8c1e9c113f0364e1c8370060dee3fcbe25b667ddeca7623a95cd21411f 849fb558745e4089a8232312594b21d2 1bcf1ae39b898aaa8b6b0207d7e307b234614ff6 d8353cfc5e696d3ae402c7c70565c1e7f31e49bcf74a6e12e5ab044f306b4b20 561cffbaba71a6e8cc1cdceda990ead4 5162f14d75e96edb914d1756349d6e11583db0b0 d55f983c994caa160ec63a59f6b4250fe67fb3e8c43a388aec60a4a6978e9f1e 4a91cb0705539e1d09108c60f991ffcf 7895e4d017c3ed5edb9bf92c156316b4990361eb d5ce6f36a06b0dc8ce8e7e2c9a53e66094c2adfc93cfac61dd09efe9ac45a75f 7d1807850275485397ce2bb218eff159 45c1b556f5a875b71f2286e1ed4c7bd32e705758 cc0cdc6a3d843e22c98170713abf1d6ae06e8b5e34ed06ac3159adafe85e3bd6 8535397007ecb56d666b666c3592c26d 0912b7cecfbe82d6903a8a0dc421c285480e5caa aae6e388e774180bc3eb96dad5d5bfefd63d0eb7124d68b6991701936801f1c7 5a97a50e45e64db41049fd88a75f2dd2 20e3a0955baca4dc7f1f36d3b865e632474add77 66490c59cb9630b53fa3fa7125b5c9511afde38edab4459065938c1974229ca8 040818b1b3c9b1bf8245f5bcb4eebbbc c0f569fc22cb5dd8e02e44f85168b4b72a6669c3 0496ca57e387b10dfdac809de8a4e039f68e8d66535d5d19ec76d39f7d0a4402 be6c46239e9c753de227bf1f3428e271 13d57aba8df4c95185c1a6d2f945d65795ee825b 81d0c71f8b282076cd93fb6bb5bfd3932422d033109e2c92572fc49e4abc2471 a560890b8af60b9824c73be74ef24a46 c2bb3eef783c18d9825134dc8b6e9cc261d4cca7 8e846ed965bbc0270a6f58c5818e039ef2fb78def4d2bf82348ca786ea0cea4f a47cf00aedf769d60d58bfe00c0b5421 656c4d285ea518d90c1b669b79af475db31e30b1 8dd620d9aeb35960bb766458c8890ede987c33d239cf730f93fe49d90ae759dd 18786bfac1be0ddf23ff94c029ca4d63 3c2b0dcdb2a46fc1ec0a12a54309e35621caa925 1fe9b489c25bb23b04d9996e8107671edee69bd6f6def2fe7ece38a0fb35f98e
