The Week in Ransomware – July 9th 2021
This week’s news focuses on the aftermath of REvil’s ransomware attack on MSPs and customers using zero-day vulnerabilities in Kaseya VSA. The good news is that it has not been as disruptive as we initially feared.
As REvil performed their attack remotely, they never had access to the victims’ networks and thus could not delete backups or steal data.
With the lack of this leverage, victims are restoring from backups rather than paying the ransom.
Sadly, this attack was close to being prevented as Kaseya worked on patches for the zero-day vulnerabilities just as the attacks started.
Due to constant ransomware attacks on US interests, President Biden has once against warned President Putin that Russia needs to arrest the ransomware gangs operating from Russia or the US will take action instead.
Finally, a new ransomware payment tracking site called Ransomwhere was launched this week.
Contributors and those who provided new ransomware information and stories this week include: @VK_Intel, @malwrhunterteam, @serghei, @struppigel, @FourOctets, @DanielGallagher, @Ionut_Ilascu, @fwosar, @demonslay335, @malwareforme, @BleepinComputer, @Seifreed, @jorntvdw, @LawrenceAbrams, @PolarToffee, @LabsSentinel, @coveware, @billseagull, @Malwarebytes, @_johnhammond, @DIVDcsirt, @0xDUDE, @jackhcable, and @pcrisk.
July 4th 2021
The zero-day vulnerability used to breach on-premise Kaseya VSA servers was in the process of being fixed, just as the REvil ransomware gang used it to perform a massive Friday attack.
The REvil ransomware gang is increasing the ransom demands for victims encrypted during Friday’s Kaseya ransomware attack.
Toffee saw a new RaaS called AvosLocker being promoted on a hacker forum. Appends the .avos extension to encrypted files and drops the GET_YOUR_FILES_BACK.txt ransom note.
July 5th 2021
REvil ransomware has set a price for decrypting all systems locked during the Kaseya supply-chain attack. The gang wants $70 million in Bitcoin for the tool that allows all affected businesses to recover their files.
CISA and the Federal Bureau of Investigation (FBI) have shared guidance for managed service providers (MSPs) and their customers impacted by the REvil supply-chain ransomware attack that hit the systems of Kaseya’s cloud-based MSP platform.
PCrisk found new STOP ransomware variants that append the .zqqw and .pooe extensions.
July 6th 2021
White House Press Secretary Jen Psaki says that the US will take action against cybercriminal groups from Russia if the Russian government refuses to do so.
Kaseya says the REvil supply-chain ransomware attack breached the systems of roughly 60 of its direct customers using the company’s VSA on-premises product.
The second quarter of 2021 marked the biggest ransomware attack on U.S. infrastructure to date. On May 7, The Colonial Pipeline Company, which operates the largest pipeline system for refined oil products in the United States, was infected with DarkSide ransomware. The attack resulted in a six-day shutdown that was only resolved when Colonial Pipeline paid the $4.4 million ransom – a decision that CEO Joseph Blount described as “the right thing to do for our country.”
July 7th 2021
Threat actors are trying to capitalize on the ongoing Kaseya ransomware attack crisis by targeting potential victims in a spam campaign pushing Cobalt Strike payloads disguised as Kaseya VSA security updates.
PCrisk found a new STOP ransomware variant that appends the .zzla extension.
July 8th 2021
Not yet two years old and already in its seventh iteration, Ransomware as a Service variant Conti has proven to be an agile and adept malware threat, capable of both autonomous and guided operation and with unparalleled encryption speed. As of June 2021, Conti’s unique feature set has helped its affiliates extort several million dollars from over 400 organizations.
Investment banking firm Morgan Stanley has reported a data breach after attackers stole personal information belonging to its customers by hacking into the Accellion FTA server of a third-party vendor.
Charles Carmakal has a problem: Ransomware has become so prolific that he has too much business.
The REvil ransomware gang’s attack on MSPs and their customers last week outwardly should have been successful, yet changes in their typical tactics and procedures have led to few ransom payments.
Jack Cable launched a ransom payment tracking site called Ransomwarewhere.
Michael Gillespie is looking for a new ransomware that appends the extension .nohope and drops a ransom note named NOHOPE_README.txt.
July 9th 2021
Kaseya has warned customers that an ongoing phishing campaign attempts to breach their networks by spamming emails bundling malicious attachments and embedded links posing as legitimate VSA security updates.
CNA Financial Corporation, a leading US-based insurance company, is notifying customers of a data breach following a Phoenix CryptoLocker ransomware attack that hit its systems in March.