Skip to content

Kaseya VSA Ransomware Attack 2021

Kaseya Ransomware Blogpost

REvil ransomware conducted a massive attack through the Kaseya VSA patch and remote management software that encrypted MSPs worldwide and their customers. The zero-day Kaseya vulnerability was discovered by DIVD researcher Wietse Boonstra and was assigned the CVE-2021-30116 identifier. Kaseya states that REvil used the Zero-day vulnerability in their on-premise VSA service to conduct the attack and that a patch would be released soon.

REvil ransomware gang targeted MSPs with thousands of customers, through Kaseya VSA supply-chain attack. Eight known large MSPs that have been hit as part of this supply-chain attack.

How did it Happen:

Ransomware encryptors called agent.exe were dropped to Kaseya’s TempPath and a VSA procedure called “Kaseya VSA Agent Hot-fix” was used to deploy the encryptor. When agent.exe runs MsMpEng.exe and the encryptor payload mpsvc.dll is dropped into the hardcoded path “c:Windows” to perform DLL sideloading. The mpsvc.dll Sodinokibi DLL creates the registry key HKEY_LOCAL_MACHINESOFTWAREWOW6432NodeBlackLivesMatter which contains several registry values that store encryptor runtime keys/configurations artifacts.

Gartner Report Shows over 90% Ransomware Attacks Preventable

“Gartner report shows that over 90% of ransomware attacks are preventable, security and risk management leaders can mitigate the risk”. Learn more about “Ransomware Risk Assessment

Watch the Live Chat (Building Your Ransomware Security Stack):

What should an organization do to counter Ransomware attacks?

There is no doubt that the best way for organizations to counter ransomware attacks is to be proactive in their security approach. Discovering the Attack Surface should be the key step to identify and mitigate potential ransomware attacks before it is too late. External Attack surface discovery tools can help organizations to adopt an attacker’s approach to discover and validate potential risks.

  • Discover your Attack Surface: Conduct an Initial Assessment to determine your attack surface (including exposed RDP Ports). Using Attack Surface Management (ASM) tools will be very helpful here (specially to identify the exposed assets that you are unaware of).
  • Test Your Security Preparedness & Effectiveness: Test the current state of your security preparedness and effectiveness from your security tools perspective. Test your security controls that help you to understand how prepared you are in case of a real attack.

How can FireCompass help?

At FireCompass, we help organizations to constantly monitor ransomware attack surface and discover potential vulnerabilities in open ports, unpatched servers that are vulnerable to ransomware. We will then perform safe active attacks on the organisation’s systems by simulating scenarios like that of a ransomware actor. We provide successful attack narratives along with possible mitigation strategies.