It is reported that the group modified the update process in order to deliver the encrypting component to a victim’s network.
The business model of REvil is to work through affiliates (partners) and initial access brokers to conduct intrusions on targeted companies. This new approach goes to show that REvil has changed some of their tactics to supplement previous one-off attacks, and instead compromise an entire supply chain, significantly amplifying the reach of the attack.
The analysis of the agent.exe which is believed to be a fake agent file is an interesting aspect of this attack.
SecurityScorecard’s platform and the company’s Investigations & Analysis team have identified a number of vulnerabilities that may have led to the malicious software distribution by compromised Kaseya VSA servers, how it spread, specific identifiers of the malicious actors, as well as key signatures in the software behaviors. The attack was purportedly limited to on-premise instances of Kaseya VSA, and at this time has not been detected across the company’s SaaS instances of Kaseya VSA, or its NOC platform (either on-premise or SaaS). The attack was soon attributed to REvil (aka Sodinokibi) the same group behind the May 1, 2021, JBS food processing ransomware attack. The US Cybersecurity and Infrastructure Security Agency later confirmed the supply chain attack against Kaseya and the multiple MSPs using their VSA software. On the afternoon of July 2, Kaseya announced that its VSA remote management and monitoring software was the vehicle of a ransomware attack targeting a number of managed service providers (MSPs) and their customers.