REvil Ransomware : Attack on Thousand of Business using Supply Chain Exploit

The Hackers Meetup
3 min readJul 18, 2021

REvil Ransomware has turn out to be lot in news recently, on 11th June 2021, when one of the Multinational companies of America INVENERGY said that they have been the victim of new Ransomware attack done by REvil .

What Happened?
This all started back on 2nd June 2021 when hundreds of kaseya mаnаged serviсe рrоviders hаd REvil rаnsоmwаre drоррed оn their systems thrоugh Kаseyа desktор mаnаgement sоftwаre. REvil wаs demаnding $70 milliоn tо restоre enсryрted dаtа. Аs соnsequenсe, the Swedish Соор grосery stоre сhаin wаs fоrсed tо сlоse 800 stоres fоr severаl dаys and trailing on 7th REvil hасked the соmрuters оf Flоridа-bаsed sрасe аnd weароn-lаunсh Teсhnоlоgy соntrасtоr HX5, whiсh соunts the Аrmy, Nаvy, Аir Fоrсe, аnd NАSА аmоng its сlients, рubliсly releаsing stоle dосuments оn its “ Hаррy Blоg”.

The name REvil appeared in the year 2019 as per the MITRE, it is a ransomware family which connected to GOLD SOUTHFIELD, a financially motivated group which operates a “Ransomware as a service” model. They take advantage of exploit kits, scan and exploit techniques, RDP servers and Backdoored software installer in traversing their Ransomware. Some say it belongs to Russia as it has never targeted Russian and Soviet Union Countries.

How did it happen?
The attack was targeted on VSA, which is a software developed by Kesaya the American IT management software company, VSA is a tool that is used for managing an organization’s servers and other hardware, as well as software and services remotely. It is in use by large corporations, also by service provider companies that provides services of administration to small companies with no IT department in them.

Kesaya’s VSA reference that allow clients to access their servers remotely

As per many malware analyst it is noted that an update was given by VSA that was malicious which hit multiple systems which than deployed to all connected system. After that it is believed that REvil gang disabled local antivirus and run a fake windows defender app which was actually the ransomware in disguise. Later it did what it is made for and encrypted files on infected systems and denied access without key.

It set a whole new example of supply chain attack in ransomware and also zero-day attack. As through infiltration through a zero-day vulnerability exploitation on VSA code that allowed attacker administrative access along with setting up of reverse channel to command the control center which than helped to drop REvil malware on all the victims infrastructure.

The attack structure of REvil

Revil has been targeting the big fish in market which mostly are in the defending army so, its high time for them (IT and other network defenders) to peep into their system and network defending methods, where they lack and make a common mistake which is taken advantage of by Revil.

Blog Written by Aashka Raval Twitter LinkedIn

--

--

The Hackers Meetup

Initiative of @viralparmarhack to provide a proper platform for cyber security researchers & like-minded people to establish a community.