{"id":41956,"date":"2021-07-04T00:00:00","date_gmt":"2021-07-04T00:00:00","guid":{"rendered":"https:\/\/www.trendmicro.com\/en_us\/research\/21\/g\/it-management-platform-kaseya-hit-with-sodinokibi-revil-ransomwa.html"},"modified":"2021-07-04T00:00:00","modified_gmt":"2021-07-04T00:00:00","slug":"it-management-platform-kaseya-hit-with-sodinokibi-revil-ransomware-attack-trend-micro","status":"publish","type":"post","link":"https:\/\/www.threatshub.org\/blog\/it-management-platform-kaseya-hit-with-sodinokibi-revil-ransomware-attack-trend-micro\/","title":{"rendered":"IT Management Platform Kaseya Hit With Sodinokibi\/REvil Ransomware Attack Trend Micro"},"content":{"rendered":"

<\/p>\n

<\/div>\n

Update as of July 23, 1:48 a.m. EDT: <\/i><\/b>Kaseya, with the help of a third party, has obtained a decryptor tool<\/a> for the victims of the ransomware attack.<\/p>\n

Update as of July 13, 1:34 a.m. EDT: <\/b>Kaseya released its patch<\/a> on July 11, 4:30 p.m. EDT. As of July 12, 7:30 a.m. EDT, its SaaS is now 100% online.<\/a><\/i><\/p>\n

Update as of July 6, 10:37 p.m. EDT:<\/i><\/b> Trend Micro released a free assessment service<\/a> that checks environments for the presence of Kaseya vulnerabilities that are related to this attack.<\/p>\n

Update as of July 6, 12:02 a.m. EDT:<\/i><\/b> Kaseya has confirmed that a patch will be available<\/a> after its SaaS servers go online.<\/p>\n

Update as of July 5, 1:48 a.m. EDT: <\/i><\/b>The Dutch Security Hotline (DIVD CSIRT) has identified<\/a> CVE-2021-30116 as one of the zero-day vulnerabilities used in the ransomware attacks. The Kaseya vulnerability was found as part of research conducted into system administration tools; Kaseya and DIVD-CSIRT were working on a coordinated disclosure release before this incident. In addition, reports of REvil pushing for a deal<\/a> for a universal decryptor have also surfaced.<\/i><\/p>\n

Kaseya, a company that provides IT management software to managed service providers (MSPs) and IT companies, has been hit with a REvil<\/a> (aka Sodinokibi<\/a>) ransomware<\/a> attack at the dawn of the Fourth of July weekend, as reported in the company\u2019s own announcement<\/a>.<\/p>\n

The company describes it as a \u201csophisticated cyberattack\u201d that was geared toward its on-premises VSA product. The company advised all its customers to shut down their on-premises VSA servers until further notice.<\/p>\n

Kaseya has decided to also immediately shut down its software-as-a-service (SaaS) servers as a conservative security measure while investigations are ongoing.  <\/b><\/p>\n

At It Again: REvil Ransomware Actors<\/span><\/b><\/h2>\n

Though technical information about the attack has yet to be released by Kaseya as of this writing, the Cybersecurity and Infrastructure Security Agency (CISA)<\/a> shared that Kaseya\u2019s VSA software was used to push a malicious script.<\/p>\n

The VSA software, which is typically used to distribute software updates<\/a> to customers, was weaponized to push a malicious PowerShell script, which then loaded the REvil ransomware payload onto customer systems. It\u2019s also important to note that non-Kaseya customers could also be affected via their service providers.<\/p>\n

The Sodinokibi\/REvil ransomware (detected as Ransom.Win32.SODINOKIBI.YABGC<\/a>) that affected Kaseya VSA disables certain services and terminates processes related to legitimate software such as browsers and productivity applications. Specifically, it terminates the following processes:<\/p>\n