viralamo

Menu
  • Technology
  • Science
  • Money
  • Culturs
  • Trending
  • Video

Subscribe To Our Website To Receive The Last Stories

Join Us Now For Free
Home
Technology
Up to 1,500 businesses infected in one of the worst ransomware attacks ever
Technology

Up to 1,500 businesses infected in one of the worst ransomware attacks ever

06/07/2021

The word ransom dominates a menacing, red computer monitor.

As many as 1,500 businesses around the world have been infected by highly destructive malware that first struck software maker Kaseya. In one of the worst ransom attacks ever, the malware, in turn, used that access to fell Kaseya’s customers.

The attack struck on Friday afternoon in the lead-up to the three-day Independence Day holiday weekend in the US. Hackers affiliated with REvil, one of ransomware’s most cutthroat gangs, exploited a zero-day vulnerability in the Kaseya VSA remote management service, which the company says is used by 35,000 customers. The REvil affiliates then used their control of Kaseya’s infrastructure to push a malicious software update to customers, who are primarily small-to-midsize businesses.

Continued escalation

In a statement posted on Monday, Kaseya said that roughly 50 of its customers were compromised. From there, the company said, 800 to 1,500 businesses that are managed by Kaseya’s customers were infected. REvil’s site on the dark web claimed that more than 1 million targets were infected in the attack and that the group was demanding $70 million for a universal decryptor.

REvil’s site had been updated to remove an image purportedly showing hard drives with 500GB of data locked up. Ransomware groups often remove information from their sites once ransom negotiations begin as a sign of good faith. Here’s how the image looked previously:

Cybereason

“It is not a great sign that a ransomware gang has a zero day in a product used widely by Managed Service Providers, and shows the continued escalation of ransomware gangs—which I’ve written about before,” security expert and independent researcher Kevin Beaumont wrote.

Advertisement

The mass attack had cascading effects around the world. Swedish supermarket chain Coop on Tuesday was still trying to recover after it shut about half of its 800 stores because point-of-sale tills and self-service checkouts stopped working. Schools and kindergartens in New Zealand were also affected, as were some public administration offices in Romania. Germany’s cybersecurity watchdog, BSI, said on Tuesday that it was aware of three IT service providers in Germany that have been affected. The map below shows where security firm Kaspersky is seeing infections.

Kaspersky

REvil has earned a reputation as a ruthless and sophisticated group, even in notoriously brazen ransomware circles. Its most recent big-game victim was meatpacking giant JBS, which in June shut down a huge swath of its international operations after the ransomware hamstrung its automated processes. JBS ultimately paid REvil affiliates $11 million.

REvil’s previous victims include Taiwanese multinational electronics corporation Acer in March as well as attempt in April to extort Apple following an attack against one of its business partners. REvil is also the group that hacked Grubman Shire Meiselas & Sacks, the celebrity law firm that represented Lady Gaga, Madonna, U2, and other top-flight entertainers. When REvil demanded $21 million in return for not publishing the data, the law firm reportedly offered $365,000. REvil responded by upping its demand to $42 million and later publishing a 2.4GB archive containing some Lady Gaga legal documents.

Still other REvil victims include Kenneth Copeland, SoftwareOne, Quest, and Travelex.

Surgical precision

This weekend’s attack was carried out with almost surgical precision. According to Cybereason, the REvil affiliates first gained access to targeted environments and then used the zero-day in the Kaseya Agent Monitor to gain administrative control over the target’s network. After writing a base-64-encoded payload to a file named agent.crt the dropper executed it.

Advertisement

Here’s the flow of the attack:

Cybereason

The ransomware dropper Agent.exe is signed with a Windows-trusted certificate that uses the registrant name “PB03 TRANSPORT LTD.” By digitally signing their malware, attackers are able to suppress many security warnings that would otherwise appear when it’s being installed. Cybereason said that the certificate appears to have been used exclusively by REvil malware that was deployed during this attack.

To add stealth, the attackers used a technique called DLL Side-Loading, which places a spoofed malicious DLL file in a Windows’ WinSxS directory so that the operating system loads the spoof instead of the legitimate file. In the case here, Agent.exe drops an outdated version that is vulnerable to DLL Side-Loading of “msmpeng.exe,” which is the file for the Windows Defender executable.

Once executed, the malware changes the firewall settings to allow local windows systems to be discovered. Then, it starts to encrypt the files on the system and displays the following ransom note:

Cybereason

The event is the latest example of a supply chain attack, in which hackers infect the provider of a widely used product with the goal of compromising downstream customers who use it. The SolarWinds compromise discovered in December was used to push a malicious software update to 18,000 organizations that used the company’s network management tool. About nine federal agencies and 100 private organizations received follow-on infections.

Anyone who suspects their network has been affected in any way in this attack should investigate immediately. Kaseya has published a tool that VSA customers can use to detect infections in their networks. The FBI and the Cybersecurity and Infrastructure Security Agency have jointly issued recommendations for Kaseya customers, particularly if they’ve been compromised.

Source link

Share
Tweet
Pinterest
Linkedin
Stumble
Google+
Email
Prev Article
Next Article

Related Articles

Microsoft—and Ars—advise split-tunnel VPNs to minimize coronavirus woes
The traditional office VPN routes not just internal office traffic, …

Microsoft—and Ars—advise split-tunnel VPNs to minimize coronavirus woes

Nest users now covered by Google’s ultra-secure Advanced Protection Program
Accounts for Google’s Nest line of smart home devices are …

Nest users now covered by Google’s ultra-secure Advanced Protection Program

Leave a Reply Cancel reply

Find us on Facebook

Related Posts

  • 2020: Our meatless, cashless, city-less future 
    2020: Our meatless, cashless, city-less future 
    11/01/2020
  • SuperData: Games hit $120.1 billion in 2019, with Fortnite topping $1.8 billion
    SuperData: Games hit $120.1 billion in 2019, …
    03/01/2020
  • Beat Saber is now an Oculus studio after Facebook acquisition
    Tesla scouts head to Tulsa, Austin as …
    15/05/2020
  • Microsoft, White House, and Allen Institute release coronavirus data set for medical and NLP researchers
    Microsoft, White House, and Allen Institute release …
    16/03/2020
  • How AI scrubs out fake reviews and amplifies your customer’s voice (VB Live)
    How AI scrubs out fake reviews and …
    14/12/2019

Popular Posts

  • High fossil fuel prices are good for the planet—here’s how to keep it that way
    High fossil fuel prices are good for …
    20/06/2022 0
  • Top 10 Mysteries, Cold Cases & Puzzles …
    23/05/2022 0
  • Ransomware attack on Planned Parenthood steals data of 400,000 patients
    Why it’s hard to sanction ransomware groups
    23/05/2022 0
  • 10 Most Common Mutations in Humans – …
    24/05/2022 0
  • 10 Signs You Might Have Already Been …
    24/05/2022 0

viralamo

Pages

  • Contact Us
  • Privacy Policy
Copyright © 2022 viralamo
Theme by MyThemeShop.com

Ad Blocker Detected

Our website is made possible by displaying online advertisements to our visitors. Please consider supporting us by disabling your ad blocker.

Refresh