Categories
Security

Kaseya ransomware strike reveals a disturbing new trend in cyberattacks

Over the same weekend America celebrated its independence, Kaseya, an IT solutions developer for managed service providers (MSPs) and enterprise clients, announced it had become the victim of a cyberattack. But this wasn’t your garden variety ransomware assault. Those days appear to be behind us now.

Once again striking the now-endangered supply chain, cybercriminals leveraged a vulnerability in Kaseya’s VSA software against multiple MSPs and their hundreds of small business customers. Where SolarWinds had only recently gained infamy as the country’s largest supply chain attack, Kaseya is eerily reminiscent—and likely not to be the last.

Kaseya ransomware attack: The new normal

On July 2, MSP solutions provider Kaseya started receiving reports of “suspicious things happening” with its VSA software program, a remote-monitoring and management tool for networks and endpoints. Within an hour, the company had shut down its VSA service.

Kaseya CEO Fred Voccola said that less than 0.1 percent of its roughly 40,000 clients were affected by the breach. However, as a provider of technology to MSPs, which in turn provide services to other companies, Kaseya is at the center of a wider software supply chain. Current estimates are that about 1,500 businesses were impacted downstream.

So how did cybercriminals pull off their attack within an attack? This was no ordinary, broad ransomware campaign sweeping up any enterprise fish it might catch in its net. The attack on VSA customers was delivered through an automatic, malicious update of the platform, which pushed the REvil ransomware variant, also known as Sodinokibi.

In order to access the VSA platform and the MSPs using it, cybercriminals first had to breach Kaseya itself. They did so by exploiting a known vulnerability in Kaseya software that the company was actively working to correct. Kaseya had thankfully already rolled out patches to its SaaS VSA clients. But before on-premise customers could receive their fix, threat actors made their move.

During the attack, cybercriminals shut off administrative access to VSA and disabled several protections within Microsoft Defender. If clients didn’t take their VSA servers offline, they were served the malicious update. And if they didn’t have another security vendor layered on top of Defender, they were treated with a ransom note and all of their files were encrypted. Customers of Malwarebytes were shielded from this attack — and, with features such as tamper protection and uninstall protection enabled, any future such attacks.

On July 4, the criminals behind REvil staked claim to the attack and demanded $70 million from Kaseya in return for a universal key, later amended to $50 million. They asserted that more than a million systems were impacted, yet their key could restore all in less than an hour — both controversial and dubious allegations, at best. Still, there’s no doubt they pulled off one of the largest ransomware attacks in history.

In fact, you know you’ve “made it” as a cybercriminal when your attack is used as bait for other phishing scams. In the wake of Kaseya, Malwarebytes researchers discovered opportunistic carrion fish had launched a malspam campaign to exploit companies eagerly awaiting the VSA patch so they could bring the platform back online. The email contained both a malicious link and attachments that dropped the Cobalt Strike RAT.

By July 12, Kaseya had released its patches, disclosed its vulnerabilities, and brought the majority of its VSA servers back online. However, the company remained mum on whether or not it would pay the ransom. The REvil affiliates behind the attack could go around Kaseya to negotiate with each of the 1,500 businesses affected. However, threat actors may be wary of creating thousands of “paper trails” on the Bitcoin blockchain now that law enforcement have trained their eye on cryptocurrency as a means of attribution.

Unfortunately, these more aggressive efforts by authorities don’t appear to be slowing or scaling down cyberattacks — at least, not yet. Assaults against organizations have increased steadily in frequency, volume, and sophistication over the last five years — from exploiting vulnerabilities to breach a single enterprise to using such vulnerabilities to gain administrative access to software used by tens of thousands of companies and their millions of customers.

These cascading attacks on supply chain software like SolarWinds and Kaseya are two data points in a greater, more worrying trend: Organizations are increasingly dependent on Internet-connected remote administration tools, and those tools are rife with flaws. Threat actors are aware of both, and we can expect them to continue to target and exploit those flaws, all while creating chaos in the supply chain, disrupting operations, and raking in the Bitcoin.

Security administrators can no longer look away from a problem that impacts the very tools they rely on to do their jobs. They must identify and ensure all known vulnerabilities for software products used in their organization are patched as soon as possible, and vet new software with an eagle eye. Consistent testing, communicating with employees and customers, and updating IT tools and servers — as well as implementing multiple layers of security — is the type of vigilance required to stave off massive breaches. And even then, it’s no failsafe unless the rest of the security community steps up to meet the challenge of cascading cyberattacks.

We need more security researchers and security-conscious developers to devote time and effort to combatting today’s vulnerabilities and preventing future, similarly-flawed products from entering the market. Software engineers must take greater care with borrowing outdated code from online repositories without testing for errors, such as weak encryption or default passwords. Vendors should also invite third-party reviewers to analyze source code created in-house before providing clients with a software bill of materials itemizing components and vulnerabilities.

The cooperation doesn’t stop there. Countries should better incentivize independent security research so analysts aren’t afraid to report their findings. Bug bounty programs are well and fine, but often their payments aren’t substantial enough to subvert dealings on the gray or black market. This $10 million reward offered by the US government for information leading to the identification or location of a nation-state threat actor is a healthy start, though.

What’s clear is that individuals — and even well-stacked IT departments — can no longer be solely responsible for their own cyber protection. To truly combat these increasingly sophisticated cascading attacks in the future, it will require an institutional shift in thinking that brings the top security minds together in lockstep.

We’ll need international cooperation and aggressive action from government and law enforcement. 360-degree security up and down the supply chain, branching out to fourth- and fifth-tier parties. Smart and secure development of Internet-connected software, as well as layers of security to stop breakthrough breaches. And a collective awareness by all that cybercrime has evolved and we can no longer turn the other cheek.

To learn more about the technical details of the Kaseya attack, check out this blog from Malwarebytes Labs: https://blog.malwarebytes.com/cybercrime/2021/07/shutdown-kaseya-vsa-servers-now-amidst-cascading-revil-attack-against-msps-clients/

Categories
Security

Paying the ransom. Damned if you do, damned if you don’t

There isn’t a person on Earth who would argue that 2020 has been a good year for fighting viruses. Turns out, it’s also been a tough one for ransomware.

While ransomware attacks have been arguably ramping up since 2016, it was 2020 that rained expensive ransom threats down on companies from a wide range of increasingly dangerous and emboldened cybercriminal gangs. Ryuk, Sodinokibi, Maze, and others doubled down on their dastardly deeds by not only encrypting and withholding sensitive data, but threatening to make it public.

In a stunning end-of-the-year development, ransomware actors showed belligerent persistence by cold calling organizations that refrained from paying the ransom or targeting them with an angry Facebook ad campaign. Meanwhile, cybercriminals have increasingly been hanging onto the files of those that do pay the ransom for auction or re-exploitation. It seems like businesses are either damned if they pay the ransom, or damned if they don’t. So what’s the right move?

Ransomware authors push the envelope, emboldened by success

Ransomware authors are having a field day — or rather, a field year. In 2019, the average ransom payment was $41,000. A year later, it was $234,000, about a 470 percent increase. Ransom demands have skyrocketed in 2020, as have their frequency and potency. Even if organizations are following security best practices by ignoring ransom notes and restoring from backups, they can no longer claim victory. In fact, businesses can run into trouble whether they refuse to pay the ransom or pay in full.

Victims of ransomware attacks who don’t compensate their captors are now rewarded with a not-so-friendly phone call from cybercriminals, marking an escalation in tactics that include threatening to notify journalists of the breach or leaking data onto public sites. Ransomware gangs such as Maze, Ryuk, Conti, and Egregor/Sekhmet have been engaging in these cold calls as far back as August, often dialing from a call center and using a script. The callers make vague threats about continuing to monitor victim endpoints and issue an ultimatum: Pay up now or the problems with your network “will never end.”

To add insult to injury, the threat actors behind Ragnar Locker ransomware have cooked up a similar scheme, this time pressuring victims into paying via fraudulent Facebook ads. According to Brian Krebs, one such ad was taken out against Italian beverage company Campari Group, which had already publicly acknowledged a malware attack. Cybercriminals used hacked accounts to pay for the ads, which Facebook did eventually detect as a scam, but not before displaying them to thousands of people.

On the flip side, ransomware gangs are increasingly failing to make good on their promise of deleting stolen data once the ransom has been paid. Back in 2019, Maze introduced the idea of double extortion — ransoming data plus threatening to release it publicly — and other ransomware operators followed suit, dumping sensitive files onto data leak sites. Over the summer, Sodinokibi took this a step further. When threatening victims to pay up didn’t work, they began auctioning off their stolen data online, charging hefty prices to the highest bidder (often a competitor).

These tactics reveal an uncomfortable truth: There’s no way to tell whether a cybercriminal group has actually deleted the files they promise to delete after you pay the ransom. According to Coveware’s Q3 2020 report on ransomware, groups such as Sodinokibi, Conti, Maze, Sekhmet/Egregor, Mespinoza, and Netwalker are using fake data as proof of deletion or even re-extorting the same victim.

So, what’s an IT/security professional to do? The FBI has flip-flopped on its official position about whether organizations should pay the ransom, first staying mum on the topic, then stating unequivocally that the ransom should never be paid. For a while, many in the security industry were inclined to agree. But that’s a tough pill to swallow for individuals. Would you pay a $200 ransom to return your PhD thesis, which represents months of work? What about for pictures of your baby’s first year?

As ransomware actors become more and more aggressive — not just stealing data and threatening to release it, but interrupting operations in hospitals, schools, and cities — some in the security industry have changed their tune. There are many who believe that in rare cases, organizations should try to negotiate for their most important files back. An entire industry of ransomware insurance providers has popped up to provide companies with cover, should their files be ransomed for exorbitant amounts.

The long and short of it is there’s no one-size-fits-all answer when it comes to ransomware. Once again, the best defense against this threat is to avoid infection in the first place. If your security software doesn’t protect against the ransomware authors mentioned above, you may want to consider investing in additional protection.

Categories
Security

Maze ransomware group calls it quits… maybe

2020 has claimed victim nearly 200,000 small businesses across the United States — a gut punch of a statistic. But there’s one group closing up shop that I won’t shed any tears over: Maze ransomware.

Last week, the notorious Maze ransomware group known for corporate targeting and data extortion schemes announced they are shutting down operations. So why aren’t security folks like me rejoicing? First, we’ve seen ransomware families disappear before, only to come back with a smarter business plan for distribution or key updates that increase their potency. Second, never trust the word of a cybercriminal.

Back in May 2019, Malwarebytes researchers discovered a new strain of ransomware known as Maze, distributed via the Fallout exploit kit. Soon after, we found that Maze was spreading indiscriminately through other exploit kits, such as Spelevo, as well as through spam campaigns using documents laced with malicious macros.

As time went on, Maze operators began to adopt a more targeted approach, likely looking for a higher return on investment. They began going after organizations with spear phishing campaigns or by exploiting vulnerabilities in exposed infrastructure. Nothing new there. However, Maze was a pioneer in some regards, as it was one of the first to threaten its victims with leaking sensitive data if the ransom was not paid. Its authors also adopted clever tricks to evade detection by leveraging virtual machines to encrypt files.

Rumors began months ago that the threat actors behind Maze ransomware might be abandoning ship, as several of its affiliates switched to an up-and-coming ransomware family known as Egregor, which likely shares some of its code with Maze. In fact, it’s possible that former Maze developers are the ones behind the Egregor project, which would explain the recruitment of their affiliates.

On November 1, coincidentally my birthday, the group behind Maze released a statement claiming that they were done for good. The error-laden message (more of a rant) went on to claim that the future will be lived entirely online, therefore Maze’s efforts were meant to help prepare companies by forcing them to increase their security — typical rhetoric among delusional criminals who try to reframe their acts as benevolent.

There’s no doubt the Maze developers and distributors made enough money to call it a day. Their so-called press release is perhaps a distraction meant to hide conflicts or internal disagreements. It could also be a smokescreen for a potential shift to Egregor. When a cybercriminal says, “We never had partners or official successors,” you can count on the opposite to be true.

Whether Maze is actually gone, we can’t yet say for sure. We thought Ryuk had vanished earlier in 2020, only to have it return. At the same time, the affiliate shift to Egregor is reminiscent of the shift away from GandCrab to Sodinokibi ransomware in 2019.

Unfortunately, history has shown us that when a crime group decides to close their doors, it’s rarely because they have seen the error in their ways. Because of this, it’s best to continue to guard against, at the very least, the types of attack vectors used by Maze ransomware. I suggest:

  • Updating software and hardware to shore up vulnerabilities (protecting against exploit kits)
  • Boosting protection against brute force attacks and exposed RDP ports
  • Increasing employee awareness on sophisticated spear phishing tactics
  • Segmenting sensitive data into more restrictive servers

For more information on the Maze ransomware group’s retirement, take a look at our blog on Malwarebytes Labs: https://blog.malwarebytes.com/ransomware/2020/11/maze-ransomware-gang-announces-retirement/

For an in-depth threat spotlight on Maze ransomware’s capabilities: https://blog.malwarebytes.com/threat-spotlight/2020/05/maze-the-ransomware-that-introduced-an-extra-twist

For TechCrunch’s take on Maze’s retirement: https://techcrunch.com/2020/11/02/maze-ransomware-group-shutting-down