Cybersecurity news headlines for July 2021

In July’s edition of cybersecurity news, the cyberattack against software company Kaseya takes the central stage. It is one of the worst cyberattacks in recent history, with a record-breaking $70 million ransom demand and almost 1500 infected companies. The second story continues the theme of serious ransomware attacks as we talk about a new player in the world of ransomware BlackMatter. Or rather, a possible reincarnation of an older threat DarkSide, a piece of ransomware that made news all over the world for being behind the Colonial Pipeline cyberattack.

Without further ado, here are the stories that made the biggest cybersecurity headlines in July 2021.

 

 

Software company Kaseya targeted in a ransomware attack: $70 million ransom demand and 1500 affected companies

In one of the biggest cyberattacks this year, the notorious ransomware gang REvil targeted Kaseya, a Florida-based software company. Kaseya provides software for businesses to manage their networks, including a remote monitoring and management tool Virtual System/Server Administrator (VSA) that’s primarily used by managed service providers (MSPs). It is estimated that more than 40,000 organizations worldwide use Kaseya’s software solutions. On July 2, malicious actors used a vulnerability in Kaseya’s VSA to carry out a supply chain ransomware attack that resulted in 1500 small/medium-sized companies being infected with ransomware via 60 of Kaseya’s MSP customers. The REvil gang took credit soon after the attack.

The chosen date for the attack, America’s Independence Day weekend, was likely not a coincidence. With many employees leaving work earlier than usual, the chances of carrying out a successful attack somewhat increase as reaction time would be slower. Soon after the attack, it was confirmed that a vulnerability in Kaseya’s VSA was how the perpetrators were able to perform it. Kaseya was warned about the vulnerability in question and was in the process of patching it. Prior to the attack, security researchers from the Dutch Institute for Vulnerability Disclosure (DIVD) disclosed the vulnerability to Kaseya, which according to DIVD “was willing to put in maximum effort and initiative into this case to get this issue fixed and their customers patched”. DIVD has praised Kaseya for their serious response, denying that Kaseya was delaying the patch and was, instead, very cooperative. Unfortunately, they were not quick enough to patch the vulnerability and it was ultimately used for the attack.

“Once Kaseya was aware of our reported vulnerabilities, we have been in constant contact and cooperation with them. When items in our report were unclear, they asked the right questions. Also, partial patches were shared with us to validate their effectiveness. During the entire process, Kaseya has shown that they were willing to put in the maximum effort and initiative into this case both to get this issue fixed and their customers patched. They showed a genuine commitment to do the right thing. Unfortunately, we were beaten by REvil in the final sprint, as they could exploit the vulnerabilities before customers could even patch”, Victor Gevers, Head of Research at DIVD said in a statement.

As soon as Kaseya noticed the attack, it informed its customers that they should shut down their VSA servers immediately until further notice. The company also shut down its software-as-a-service (SaaS) servers as a precaution. On-premises customers were notified soon after, and authorities were contacted immediately. Nonetheless, the cyberattack impacted 60 of Kaseya’s managed service provider customers and in turn, 1500 small/medium-sized companies that were clients of those MSPs.

Reports soon starting appearing that the impacted companies were dealing with ransomware attacks. Among them was Sweden’s supermarket chain Coop which was forced to temporarily close 500 of its physical stores while it dealt with the attack. Depending on whether the victims had backup or not, returning to normal operations was estimated to take weeks. The demanded ransom sums ranged between tens of thousands to millions of dollars. The REvil cybergang also offered a universal decryption key that would help all victims if it received $70 million in bitcoin. This is the highest ever ransom demand made by ransomware operators.

Only a few ransomware victims made the ransom payment but it is unclear whether the giant $70 million demand was also paid. On July 23, Kaseya announced that it received the universal decryptor from a “third-party” and was helping victims recover their files but did not specify where the decryptor came from. The companies that paid the ransom faced further issues when the decryptors they were sent did not work and the REvil gang suddenly went dark.

Almost two weeks after the Kaseya ransomware attack, the dark web websites belonging to REvil went offline. Among them were the payment site, as well as the negotiation and “helpdesk” sites. It is not clear why exactly the group went dark, though it is speculated that it may have had something to do with the increased scrutiny by government agencies. Internal conflict and self-directed takedown were also among the possibilities.

REvil is believed to be based in Russia, which is one of the reasons why law enforcement agencies were having a hard time dealing with the gang. But US President Biden’s administration has put increased pressure on the Russian government about the ransomware activity coming from the country, which may have led to REvil’s shutdown.

“I made it very clear to him that the United States expects when a ransomware operation is coming from his soil, even though it’s not sponsored by the state, we expect them to act if we give them enough information to act on who that is,” Biden reportedly said directly to Russia’s President Putin.

Notorious DarkSide ransomware gang returns as BlackMatter

The notorious DarkSide ransomware gang, responsible for one of the worst cyberattacks in recent history, has reportedly reappeared as BlackMatter. DarkSide, believed to have been operating from Eastern Europe, is responsible for the Colonial Pipeline cyberattack. After increased scrutiny both from the US government and the media, the gang went dark in May. The malicious actors reportedly lost access to their servers and an unidentified third-party seized their cryptocurrency.

One of US’s largest pipeline operators Colonial Pipeline was targeted in a cyberattack in May this year, forcing the company to temporarily shut down the pipeline to prevent the infection from affecting operational controls. How exactly the perpetrators were able to gain access to the pipeline’s systems is unclear but the 6-day shutdown affected millions of people, causing fuel shortages in multiple states as well as triggering mass panic buying. US President Biden was forced to declare a state of emergency in order to deal with the situation.

The DarkSide gang also stole 100GB of data from Colonial Pipeline, a tactic used by more and more ransomware gangs to pressure victims into paying. If the payment was not made, the cybergang threatened to publicly release the stolen information. The ransom request was 75 bitcoin, which at the time was $4.4 million. Ultimately, the pipeline agreed to pay the ransom, though the decryptor sent to them worked too slow and backups were used to recover files instead. The majority of the ransom was later recovered by the FBI.

The target, the scale of the attack, and the significant consequences of this attack led to increased scrutiny from law enforcement agencies, perhaps much more than DarkSide anticipated. The DarkSide cybergang operated the ransomware as a ransomware-as-a-service (RaaS) and it distanced itself from the situation by claiming to be apolitical. It also said that they will moderate who its partners can encrypt in order to avoid “social consequences in the future”.

In May, the DarkSide ransomware operations abruptly shut down. It is likely that the operation was disrupted by law enforcement, considering that the FBI managed to recover around $4 million in ransom payments.

After suddenly shutting down, it appears that DarkSide has reemerged as BlackMatter. The group has been noticed to be purchasing access to corporate networks in the USA, Canada, Great Britain, and Australia. On a BlackMatter data leak site, the group says that they will not attack hospitals, critical infrastructure facilities, oil and gas industries, defense facilities, non-profit companies, and the government sector.

Initially, it was thought that BlackMatter was a new ransomware group but ransomware expert and CTO of Emsisoft Fabian Wosar said that BlackMatter is using the same unique encryption methods that were noticed in DarkSide.

After looking into a leaked BlackMatter decryptor binary I am convinced that we are dealing with a Darkside rebrand here. Crypto routines are an exact copy pretty much for both their RSA and Salsa20 implementation including their usage of a custom matrix.

– Fabian Wosar (@fwosar) July 31, 2021

References

• Updates Regarding VSA Security Incident. Kaseya.
• Victor Gevers. KASEYA CASE UPDATE 2. DIVD Blog.
• Joe Tidy. Swedish Coop supermarkets shut due to US ransomware cyber-attack. BBC News.
• Kaseya ransomware attack: 1500 affected companies and a $70 million ransom demand. WiperSoft Blog.
• Cybersecurity news headlines for May 2021. WiperSoft Blog.