As information breaks concerning the supply-chain ransomware assault in opposition to Kaseya’s IT administration software program, right here’s what we all know thus far
Simply after we had been getting over the SolarWinds supply-chain assault, we see Kaseya IT administration software program, generally utilized in Managed Service Supplier (MSP) environments, hit by one other in a sequence of supply-chain hacks. As with the SolarWinds incident, this newest assault makes use of a two-step malware supply course of sliding via the again door of tech environments. Not like SolarWinds, the cybercriminals behind this assault apparently had financial achieve relatively than cyberespionage of their sights, finally planting ransomware whereas exploiting the belief relationship between Kaseya and its clients.
ESET safety researchers are monitoring this ransomware, which is extensively attributed to the REvil gang whose malware ESET safety merchandise detect as Sodinokibi. Our preliminary evaluation helps this attribution.
ESET added detection of this variant of the ransomware as Win32/Filecoder.Sodinokibi.N trojan on July 2nd at 3:22 PM (EDT; UTC-04:00). This detection contains each the primary physique of the ransomware, in addition to DLLs it sideloads. ESET telemetry exhibits nearly all of stories coming from the UK, South Africa, Canada, Germany, the US, and Colombia.
Kaseya, for its half, has rushed to triage the incident and pushed out notifications to these doubtlessly affected with the recommendation to close doubtlessly affected on-premises VSA servers down instantly.
That recommendation couldn’t come too quickly. As soon as the server is infested, the malware shuts down administrative entry and begins encrypting information, the precursor to the total ransomware assault cycle. As soon as the encryption course of is full, the system’s desktop wallpaper is about to a picture much like that seen in Determine 2, and the ransom word it refers to appears one thing like Determine 3, ought to a sufferer search for and open it.
The primary a part of the “readme” filename is randomized.
By one report, tons of of organizations now have encrypted information inside their organizations, and are scrambling to comprise and notify IT groups to behave swiftly.
Whereas distributors like ESET detect this malware, there was a lag between when the affected servers had been hit with the assaults and when help groups and software program might reply, leading to early infestations having time to do their injury.
There are a number of locations the place forthcoming info is being disseminated, together with the safety business rallying, in actual time, round serving to clients in no matter method attainable.
You probably have servers that could be affected, it’s important to maintain up with information because it emerges and shut down doubtlessly susceptible machines, or no less than isolate them from the community till extra info turns into out there. Kaseya can be posting common updates on its website.
Indicators of Compromise (IoCs)
The next information are related to the Win32/Filecoder.Sodinokibi.N ransomware:
|Filename||SHA-256 hash||ESET detection title|