The REvil ransomware gang’s attack on MSPs and their customers last week outwardly should have been successful, yet changes in their typical tactics and procedures have led to few ransom payments.
When ransomware gangs conduct an attack, they usually breach a network and take time stealing data and deleting backups before ultimately encrypting the victim’s devices.
When a victim is shown proof of stolen data, backups are deleted, and their devices are encrypted, it creates a much stronger incentive for them to pay the ransom to restore their data and prevent the leak of data.
However, the REvil affiliate responsible for this attack chose to forgo standard tactics and procedures. Instead, they used a zero-day vulnerability in on-premise Kaseya’s VSA servers to perform a massive and widespread attack without actually accessing a victim’s network.
This tactic led to the most significant ransomware attack in history, with approximately 1,500 individual businesses encrypted in a single attack.
Yet, while BleepingComputer knows of two companies who paid a ransom to receive a decryptor, overall, this attack is likely not nearly as successful as the REvil gang would have expected.
The reason is simply that backups were not deleted and data was not stolen, thus providing the ransomware gang little leverage over the victims.
Cybersecurity researchers familiar with the attacks and the targeted MSPs have told BleepingComputer that victims are lucky they were attacked this way as the threat actors did not have regular unfettered access to networks and were forced to use automated methods of deleting backups.
For example, Emsisoft CTO Fabian Wosar extracted the configuration for a REvil ransomware sample used in the attack, and it shows that the REvil affiliate made a rudimentary attempt of deleting files in folders containing the string ‘backup.’
However, this method does not appear to have been successful as an MSP and multiple victims encrypted during the attack told BleepingComputer that none of their backups were affected, and they chose to restore rather than paying a ransom.
Bill Siegel, CEO of ransomware negotiation firm Coveware, told BleepingComputer that this is a similar decision for many other victims of the attack as not one of their clients has had to pay a ransom.
“In the Kaseya attack, they opted to try and impact EVERY Kaseya client by targeting the software vs direct ingress to an MSP’s network. By going for such a broad impact they appear to have sacrificed the step of encrypting / wiping backups at the MSP control level,” Siegel told BleepingComputer.
“This may end up being a bit of a saving grace, even for MSPs that had poorly segmented backups for their clients.”
“While it is certainly impressive that Sodin was able to pull off this exploit, we have not seen the level of disruption that typically follows a single MSP attack where the backups are intentionally wiped or encrypted, and there is no other way to recover data without paying a ransom.”
“The disruption is still bad, but encrypted data that is unrecoverable from backups may end up being minimal. This will translate to minimal need to pay ransoms. “
“Impacted MSPs are going to be stretched for a while as they restore their clients, but so far none of the clients we have triaged have needed to pay a ransom. I’m sure there are some victims out there that will need to, but this could have been a lot worse.”
Those victims who do ultimately pay a ransom will likely only do so because they had poor backups to restore from.
We rarely get to write a positive story about ransomware, and while many companies have had a stressful and disruptive week, it does appear that the majority of victims should be able to get back up and running fairly quickly.