CISA, FBI Warn: REvil Ransomware Attack Hits Kaseya, Affects Global Sectors
On July 4, 2021, the Cybersecurity and Infrastructure Security Agency (CISA) and the FBI issued a joint advisory urging users to respond to the REvil ransomware attack. This followed Kaseya's announcement two days prior that its software had been compromised, leading to widespread disruption. The REvil group demanded a hefty $70 million payment for a universal decryptor tool.
The REvil attack exploited multiple zero-day vulnerabilities in Kaseya's VSA product, including CVE-2021-30116. This supply chain attack targeted managed service providers and their clients internationally, affecting various sectors such as supermarkets, kindergartens, and public administration offices. Kaseya initially believed the attack was localized to a small number of on-premises customers.
To manage and report affected systems, Qualys has released an Interrogation Guide (IG) QID to detect the presence of Kaseya VSA. This can be done remotely using signature version VULNSIGS-2.5.226-3 and above. Qualys VMDR can identify systems with Kaseya installed and group them together for management and reporting. Additionally, Qualys Unified Dashboard can track REvil ransomware, impacted hosts, and overall management in real time.
The REvil ransomware is a ransomware-as-a-service (RaaS), with attackers distributing it over the internet and splitting the ransom. The attack has highlighted the importance of robust cybersecurity measures and prompt response to vulnerabilities. Organizations are urged to stay vigilant and follow the CISA and FBI advisory to mitigate potential threats.
