2 Remove Virus

Kaseya patches VSA vulnerabilities used in recent REvil ransomware attack

Software vendor Kaseya has released a security update that patches the VSA (Virtual System Administrator) zero-day vulnerability used in the recent REvil ransomware attack. The patch comes more than a week after over 60 managed service providers (MSP) and 1500 of their customers were impacted by a ransomware attack, the source of which was soon identified to be Kaseya’s VSA.

Attackers, now known to be the notorious REvil gang, used a vulnerability in Kaseya’s VSA remote monitoring and management software package to distribute a malicious payload through hosts that are managed by the software. The end result was 60 MSPs and over 1500 companies affected by ransomware attacks.

The vulnerabilities in Kaseya’s VSA were discovered in April by researchers at the Dutch Institute for Vulnerability Disclosure (DIVD). According to DIVD, they disclosed the vulnerabilities to Kaseya soon after, allowing the software company to release patches to resolve a number of them before they could be misused. Unfortunately, while DIVD praises Kaseya for their on-point and timely response to the disclosure, malicious parties were able to use the unpatched vulnerabilities in their ransomware attack.

The vulnerabilities disclosed to Kaseya by DIVD in April are the following:

Failing to patch 3 of the vulnerabilities on time allowed REvil to utilize them for a large-scale attack that impacted 60 managed service providers using VSA and their 1500 business customers. As soon as Kaseya noticed what was going on, it warned on-premise VSA customers to immediately shut down their servers until it released a patch. Unfortunately, many companies still became victims of a ransomware attack whose perpetrators demanded up to $5 million in ransom. The REvil gang later offered a universal decryptor for $70 million, the largest ever ransom demand.

The VSA 9.5.7a (9.5.7.2994) update fixes vulnerabilities used during the REvil ransomware attack

On July 11, Kaseya released the VSA 9.5.7a (9.5.7.2994) patch to fix the remaining vulnerabilities which were used in the ransomware attack.

The VSA 9.5.7a (9.5.7.2994) update patches the following:

However, Kaseya cautions that to avoid any more issues, the “On Premises VSA Startup Readiness Guide” should be followed.

Before admins proceed to restore full connectivity between Kaseya VSA server(s) and deployed agents, they should do the following:

The REvil gang appears to have gone dark

The REvil ransomware gang were pretty quickly identified as the perpetrators behind the attack. After initially offering a universal decryptor for $70 million, they lowered the price to $50 million. It now appears that REvil’s infrastructure and websites have been taken offline, though the reasons are not entirely clear. REvil’s infrastructure is made up of both clear and dark web sites that are used for purposes such as leaking data and negotiating the ransom. However, the sites are no longer reachable.

It’s not yet clear whether REvil decided to shut down its infrastructure due to technical reasons or because of the increased scrutiny by law enforcement and the US government. REvil is known to operate from Russia, and US President Biden has been in talks with Russia’s President Putin about the attacks, warning that if Russia does not take action, the US will. Whether that has anything to do with REvil’s apparent shutdown is not yet clear.