At this point, the on-premise deployments on servers have been reported to be vulnerable. Given the visibility and level of access that VSA has inside an organization, the attackers can compromise entire enterprise networks. Kaseya have shut down their software-as-a-service (SaaS) servers as a precautionary measure and it is advised to shutdown any on-premise VSA server.
Many Kaseya servers are being used to deploy the Revil (AKA Sodinokibi) ransomware, since VSA is designed to allow administration of systems with high level privileges. The ransomware will be deployed form a task disguised as “Kaseya VSA Agent Hot-fix” that will leverage PowerShell and will disable multiple features from Windows Defender to evade detection and sandbox submission.
The REvil gang have not posted details on their victims on their blog yet, but request a ransom of 70 million USD in bitcoin for the decryptor as shown in the picture below
The Security Operations Center of Obrela Security Industries want to keep our customers continuously updated of the attack and provide threats mitigation and prevention guidance. SOC has increased its readiness and verbosity over anomalies in SMB traffic, communication to list of suspicious IP addresses and domains, and more.
The ransomware infection is originally initiated by visiting compromised websites.
As such, (a) it requires user interaction asking the user to visit the compromised web site, (b) then it is redirected to 1dnscontrol[.]com, (c) in order to download a fake Flash update (install_flash_player.exe).
This executable file (630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da) is the dropper for the malware that infects the target Workstation (the actual malware).
The resulting malware can propagate via SMB, having many similarities to the Petya/Nyetya attack.
It also utilizes a version of mimikatz security tool in order to steal credentials and use them to propagate to other hosts (sim. Nyetya).
Once a windows computer is infected, it reboots the computer, encrypts the hard drive’s master file table (MFT) and replaces the computer’s MBR with its own malicious code to show the ransomware note upon reboot. The encryption of the files is performed by DiskCryptor to do a full drive encryption. Keys are generated and protected by RSA 2048 public key.
As result of this attack, the computer is locked and shows a random note asking victims to pay a bitcoin amount to allow getting control back of their systems.
630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da (Dropper)
8ebc97e05c8e1073bda2efb6f4d00ad7e789260afa2c276f0c72740b838a0a93 C:\Windows\dispci.exe (diskcryptor client)
682ADCB55FE4649F7B22505A54A9DBC454B4090FC2BB84AF7DB5B0908F3B7806 C:\Windows\cscc.dat (x32 diskcryptor drv)
0b2f863f4119dc88a22cc97c0a136c88a0127cb026751303b045f7322a8972f6 C:\Windows\cscc.dat (x64 diskcryptor drv)
579FD8A0385482FB4C789561A30B09F25671E86422F40EF5CCA2036B28F99648 C:\Windows\infpub.dat
2f8c54f9fa8e47596a3beff0031f85360e56840c77f71c6a573ace6f46412035 (mimikatz-like x86)
301b905eb98d8d6bb559c04bbda26628a942b2c4107c07a02e8f753bdcfe347c (mimikat-like x64)
viserion_
rhaegal
drogon
1dnscontrol[.]com
/flash_install.php
185.149.120[.]3
Argumentiru[.]com
Fontanka[.]ru
Adblibri[.]ro
Spbvoditel[.]ru
Grupovo[.]bg
www.sinematurk[.]com
caforssztxqzf2nm[.]onion