This week’s news focuses on the aftermath of REvil’s ransomware attack on MSPs and customers using zero-day vulnerabilities in Kaseya VSA. The good news is that it has not been as disruptive as we initially feared.
As REvil performed their attack remotely, they never had access to the victims’ networks and thus could not delete backups or steal data.
With the lack of this leverage, victims are restoring from backups rather than paying the ransom.
Sadly, this attack was close to being prevented as Kaseya worked on patches for the zero-day vulnerabilities just as the attacks started.
Due to constant ransomware attacks on US interests, President Biden has once against warned President Putin that Russia needs to arrest the ransomware gangs operating from Russia or the US will take action instead.
Finally, a new ransomware payment tracking site called Ransomwhere was launched this week.
Contributors and those who provided new ransomware information and stories this week include: @VK_Intel, @malwrhunterteam, @serghei, @struppigel, @FourOctets, @DanielGallagher, @Ionut_Ilascu, @fwosar, @demonslay335, @malwareforme, @BleepinComputer, @Seifreed, @jorntvdw, @LawrenceAbrams, @PolarToffee, @LabsSentinel, @coveware, @billseagull, @Malwarebytes, @_johnhammond, @DIVDcsirt, @0xDUDE, @jackhcable, and @pcrisk.
July 4th 2021
Kaseya was fixing zero-day just as REvil ransomware sprung their attack
The zero-day vulnerability used to breach on-premise Kaseya VSA servers was in the process of being fixed, just as the REvil ransomware gang used it to perform a massive Friday attack.
REvil is increasing ransoms for Kaseya ransomware attack victims
The REvil ransomware gang is increasing the ransom demands for victims encrypted during Friday’s Kaseya ransomware attack.
New AvosLocker RaaS
Toffee saw a new RaaS called AvosLocker being promoted on a hacker forum. Appends the .avos extension to encrypted files and drops the GET_YOUR_FILES_BACK.txt ransom note.
July 5th 2021
REvil ransomware asks $70 million to decrypt all Kaseya attack victims
REvil ransomware has set a price for decrypting all systems locked during the Kaseya supply-chain attack. The gang wants $70 million in Bitcoin for the tool that allows all affected businesses to recover their files.
CISA, FBI share guidance for victims of Kaseya ransomware attack
CISA and the Federal Bureau of Investigation (FBI) have shared guidance for managed service providers (MSPs) and their customers impacted by the REvil supply-chain ransomware attack that hit the systems of Kaseya’s cloud-based MSP platform.
New STOP Djvu ransomware variants
PCrisk found new STOP ransomware variants that append the .zqqw and .pooe extensions.
July 6th 2021
US warns of action against ransomware gangs if Russia refuses
White House Press Secretary Jen Psaki says that the US will take action against cybercriminal groups from Russia if the Russian government refuses to do so.
Kaseya: Roughly 1,500 businesses hit by REvil ransomware attack
Kaseya says the REvil supply-chain ransomware attack breached the systems of roughly 60 of its direct customers using the company’s VSA on-premises product.
Ransomware statistics for 2021: Q2 report
The second quarter of 2021 marked the biggest ransomware attack on U.S. infrastructure to date. On May 7, The Colonial Pipeline Company, which operates the largest pipeline system for refined oil products in the United States, was infected with DarkSide ransomware. The attack resulted in a six-day shutdown that was only resolved when Colonial Pipeline paid the $4.4 million ransom – a decision that CEO Joseph Blount described as “the right thing to do for our country.”
July 7th 2021
Fake Kaseya VSA security update backdoors networks with Cobalt Strike
Threat actors are trying to capitalize on the ongoing Kaseya ransomware attack crisis by targeting potential victims in a spam campaign pushing Cobalt Strike payloads disguised as Kaseya VSA security updates.
New STOP Djvu ransomware variant
PCrisk found a new STOP ransomware variant that appends the .zzla extension.
July 8th 2021
Conti Unpacked | Understanding Ransomware Development As a Response to Detection
Not yet two years old and already in its seventh iteration, Ransomware as a Service variant Conti has proven to be an agile and adept malware threat, capable of both autonomous and guided operation and with unparalleled encryption speed. As of June 2021, Conti’s unique feature set has helped its affiliates extort several million dollars from over 400 organizations.
Morgan Stanley reports data breach after vendor Accellion hack
Investment banking firm Morgan Stanley has reported a data breach after attackers stole personal information belonging to its customers by hacking into the Accellion FTA server of a third-party vendor.
‘Barely able to keep up’: America’s cyberwarriors are spread thin by attacks
Charles Carmakal has a problem: Ransomware has become so prolific that he has too much business.
REvil victims are refusing to pay after flawed Kaseya ransomware attack
The REvil ransomware gang’s attack on MSPs and their customers last week outwardly should have been successful, yet changes in their typical tactics and procedures have led to few ransom payments.
New Ransomwarewhere site launched
Jack Cable launched a ransom payment tracking site called Ransomwarewhere.
New ransomware hunt
Michael Gillespie is looking for a new ransomware that appends the extension .nohope and drops a ransom note named NOHOPE_README.txt.
July 9th 2021
Kaseya warns of phishing campaign pushing fake security updates
Kaseya has warned customers that an ongoing phishing campaign attempts to breach their networks by spamming emails bundling malicious attachments and embedded links posing as legitimate VSA security updates.
Insurance giant CNA reports data breach after ransomware attack
CNA Financial Corporation, a leading US-based insurance company, is notifying customers of a data breach following a Phoenix CryptoLocker ransomware attack that hit its systems in March.
That’s it for this week! Hope everyone has a nice weekend!