Thu, Jul 8, 2021
On the afternoon of July 2, 2021, Kaseya reported that it had been impacted by a ransomware attack affecting its Virtual System Administrator (VSA) product and advised users to shut down VSA servers immediately. Initial reporting indicates this was a well-orchestrated supply chain attack impacting about 60 managed services providers (MSPs) and up to 1,500 client organizations by leveraging a zero-day vulnerability (CVE-2021-30116). The ransomware group behind the attack coordinated their malware to encrypt systems at a massive scale, claiming to have “more than a million systems” infected according to their shaming site.
Kroll alerted clients to the threat on Friday afternoon, and shortly after Kroll was engaged by several impacted customers. Our Kroll Responder team validated what the security community had shared, with the ransomware dropper running the binary “agent.exe” and then loading the malicious mpsvc.dll via a legitimate Windows Defender binary, “MsMpEng.exe”.
The use of a legitimate Windows process to launch an attack can make it harder for traditional defensive applications to detect. This type of obfuscation where the malware tries to appear benign was also part of our research into EPHEMERAL LOCKPICKER, marking yet another area where attackers are becoming more sophisticated.
Kaseya released a compromise detection tool, which the Cybersecurity & Infrastructure Security Agency (CISA) recommends MSPs download to analyze whether any indicators of compromise (IoC) are present. In a joint alert, the CISA and FBI also recommend MSPs:
Additionally, Kroll recommends organizations take the following steps:
The Kroll incident response team is on standby to help. Reach us 24x7 at [email protected] or via our hotlines.
Incident response, digital forensics, breach notification, managed detection services, penetration testing, cyber assessments and advisory.
Kroll’s ransomware preparedness assessment helps your organization avoid ransomware attacks by examining 14 crucial security areas and attack vectors.
Kroll is the largest global IR provider with experienced responders who can handle the entire security incident lifecycle.
Kroll's expertise establishes whether data was compromised and to what extent. We uncover actionable information, leaving you better prepared to manage a future incident.
Our expertise allows us to identify and analyze the scope and intent of advanced persistent threats to launch a targeted and effective response.
Stop cyberattacks. Kroll Responder managed detection and response is fueled by seasoned IR experts and frontline threat intelligence to deliver unrivaled response.
Digital forensic experts investigate hundreds of Office 365 incidents per year and help strengthen your security.
Kroll delivers more than a typical incident response retainer—secure a true cyber risk retainer with elite digital forensics and incident response capabilities and maximum flexibility for proactive and notification services.