July 6, 2021 | 5 minute read
As a spate of ransomware attacks continue to dominate the headlines in recent months, the infamous REvil ransomware gang has upped the ante significantly with a wide ranging operation that is suspected to have impacted thousands of small-to-midsize businesses through the compromise of a leading IT services provider.
Reports indicate that the REvil gang’s supply chain attack exploited the Kaseya VSA remote management service to propagate the ransomware to multiple targets by way of Managed Service Providers who use the software to service clients across the globe.
REvil is the same threat actor who hit meatpacking giant JBS with a ransomware attack at the beginning of June, shutting down a good portion of the company’s production capabilities and threatened to create supply chain disruptions and sharp cost of goods increases.
Back in April of 2019, the Cybereason Nocturnus team first encountered and analyzed the REvil ransomware (aka Sodinokibi, Sodin), a notoriously aggressive and highly evasive threat that takes many measures to maintain obfuscation and prevent detection by security tools.
The Cybereason Defense Platform has consistently proven to detect and block REvil ransomware. Cybereason customers have been protected from this threat since it emerged in 2019, as are the customers of our Managed Services Provider partners in the wake of the Kaseya supply chain compromise:
The Cybereason Defense Platform Detects and Blocks REvil Ransomware
Over time, REvil has become the largest ransomware cartel operating in operation to date. Subsequent attacks attributed to the REvil gang include a March 2021 attack against Taiwanese multinational electronics corporation Acer where the assailants demanded a record breaking $50 million ransom.
In April, the REvil gang attempted to extort Apple following an attack against one of the tech giant’s business partners with a $50 million ransom demand with the additional threats to increase the ransom demand to $100 million and release exfiltrated data from the target should the payment not be made promptly.
Much like the DarkSide ransomware gang that struck Colonial Pipeline in early May, the REvil gang follows the double extortion trend, where the threat actors first exfiltrates sensitive information stored on a victim’s systems before launching the encryption routine.
After the ransomware encrypts the target’s data and issues the ransom demand for payment in exchange for the decryption key, the threat actors make the additional threat of publishing the exfiltrated data online should the target refuse to make the ransom payment.
This means the target is still faced with the prospect of having to pay the ransom regardless of whether or not they employed data backups as a precautionary measure, and underscores the need to take a prevention-first security posture.
At the time of publication of this report, the exact chain of events that enabled at least 1000 businesses to be infected by the REvil ransomware is not entirely clear. According to Huntress’s investigation, one possibility is the exploitation of the web interface of Kaseya’s VSA Servers (software used by Kaseya customers to monitor and manage their infrastructure), which enabled authentication bypass and remote code execution.
In addition, The Dutch Institute for Vulnerability Disclosure (DIVD) has revealed that it had alerted Kaseya on a number of zero-day vulnerabilities in the VSA software (CVE-2021-30116) which are used in the ransomware attacks.
Screenshot from the REvil Website
Full attack tree as shown in the Cybereason Defense Platform
Once the attackers gain access to the targeted environment, the Kaseya Agent Monitor (agentmon.exe) is used to write a base 64 decoded file named “agent.crt” (The ransomware dropper) to the path “c:\kworking\”.
After it writes the encoded payload to disk, agentmon.exe executes the following command line which contains the following commands:
Full command line executed by “agentmon.exe”
Ping command line
Powershell command line disabling Windows built-in security and antivirus settings
Cert.exe (renamed CertUtil.exe) is used to decode the previously dropped “agent.crt” file to “agent.exe”, which is then executed:
Renaming CertUtil.exe and execution of dropper
The ransomware dropper (agent.exe) is signed with the certificate “PB03 TRANSPORT LTD.” The Certificate appears to have only been used by REvil malware that was deployed during this attack:
The certificate used to sign REvil ransomware
To add a layer of stealth, the attackers used a technique called DLL Side-Loading. Agent.exe drops an outdated version that is vulnerable to DLL Side-Loading of “msmpeng.exe” - the Windows Defender executable.
The dropper then writes the ransomware payload to disk as the model “mpsvc.dll” to make “msmpeng.exe” load and execute it:
Extraction and execution of the payload in ida
Similar to the agent.exe dropper binary, the ransomware payload DLL is also signed with the same certificate. Analysis of the DLL binary showed that it is the REVIL ransomware. Once the execution is passed to the module, it executes the command “netsh advfirewall firewall set rule group=”Network Discovery” new enable=Yes”, which changes the firewall settings to allow local windows systems to be discovered. Then, it starts to encrypt the files on the system, eventually dropping the following ransom note:
REvil ransom note
Ransomware attacks are on the rise. A recently released report by Cybereason, titled Ransomware: The True Cost to Business, detailed how malicious actors are fine-tuning their ransomware campaign tactics, and how both the frequency and severity of successful ransomware attacks have tremendous impact on victim organizations and their ability to conduct business.
The full REvil attack involving Kesaya is presented in the Cybereason Defense Platform process tree as an automatically generated Malop™ for a complete view of the attack narrative:
Full attack tree as shown in the Cybereason Defense Platform
The Cybereason Defense Platform delivers multi-layer protection that is proven to detect and block REvil ransomware since it emerged in 2019, and continues to allow defenders to protect their organizations from this evolving threat:
Cybereason AI-based NGAV and Anti-Ransomware detects and prevents REvil ransomware
The best ransomware defense for organizations is to focus on preventing a ransomware infection in the first place. Organizations need visibility into the more subtle Indicators of Behavior (IOBs) that allow detection and prevention of a ransomware attack at the earliest stages.
Cybereason delivers industry leading ransomware protection via multi-layered prevention, detection and response, including:
Cybereason is dedicated to teaming with defenders to end cyber attacks from endpoints to the enterprise to everywhere - including modern ransomware. Learn more about ransomware defense here or schedule a demo today to learn how your organization can benefit from an operation-centric approach to security.
Tom Fakterman, Cyber Security Analyst with the Cybereason Nocturnus Research Team, specializes in protecting critical networks and incident response. Tom has experience in researching malware, computer forensics and developing scripts and tools for automated cyber investigations.All Posts by Tom Fakterman