We’ve counted over 1,600 attacks with ransomware In the year 2020. As of July 1, we are around 1500. This number was significantly exceeded the next day, due to the activities of the REvil gang, with Sodinokibi ransomware.
Continuation of the article below
One of the group’s partners has already embarked on a large-scale operation: by exploiting a vulnerability affecting Kaseya VSA’s remote management service, it attacked end customers of several managed service providers. He claims to have compromised more than a million machines around the world and is asking for $45,000 to unlock each one. He would not have taken the time to steal the data and offered a global payment of $70 million to provide enough to decrypt the data of all affected hosts.
According to Huntress Labs, there are at least thirty managed service providers in the United States, Australia, Europe and Latin America. concernedfor more than a thousand companies. Swedish brand Coop is one of the victims and it had to Close POS. There were also at least 11 New Zealand schools affected. According to our information, there is no French victim who can feel distressed at the moment. ESET Neither of them have Observed from the French victim, but Malwarebytes I assure to see some.
Like the Solarwinds attack, but for the money
This attack reminds us of the operation that took place Via Solarwinds Tools It was discovered at the end of last year. With the difference that the former was motivated by espionage and the latter by money. The first operation was performed with caution. The second was launched in a resounding fashion. But either way, this is a throwback attack on the software supply chain.
However, this type of attack is not new. In June 2019, Huntress Labs indicated that it tracked three incidents in which the computers of managed service providers were compromised by ransomware, Via remote management tools. There, was the Webroot management console, used by many managed service providers, which appears to have been hacked to publish ransomware Sodenokibe on their clients’ systems.
And one might be tempted to see this as a signature of the REvil group. Before Sodinokibi, he was suspected of using GandCrab ransomware. Specifically, it was propagated at least once by hijacking an extension designed for Data synchronization between ConnectWise and Kaseya VSA.
Vulnerability in the correction process
Attackers have already exploited an unprecedented vulnerability, CVE-2021-30116. This was previously discovered by Wietse Boonstra, a researcher at the Netherlands Institute for Vulnerability Detection (DIVD). DIVD shown In a blog post, he said Cassie “was very helpful” and maintained “always in touch.” The patches were ready and ready to be distributed!
As Brett Kalou of Emsisoft points out, the question today is I know How cyber thugs got their hands on the vulnerability and exploited it before Cassia had time to distribute the patch. And from there many other questions arise, about the possibility of a possible settlement of Cassia himself, in particular, without calculating the chronology of the operation.