aseya data breach: 70M $ for the universal decryptor, meanwhile REvil deals privately with some victims
Kaseya data breach: 70M $ for the universal decryptor, meanwhile REvil deals privately with some victims
Kaseya VSA is remote management and monitoring software used by companies to manage their IT infrastructures. On 2 July, the REvil ransomware group used the VSA (Virtual System Administrator) as a vector to inject infected code into the computer systems of at least a thousand end customers of the Miami-based multinational.
The exact number of victims is not known at the moment, but these would include the Swedish supermarket chain Coop , the Swedish State Railways, the Norwegian Visma which operates in the field of business software - development and consultancy in the IT sector, the American Dataprise providing information technology and systems integration services to small and medium-sized enterprises primarily in the US Mid Atlantic.
REvil published a note on its blog in the Tor networks stating that over 1 million corporate IT systems are affected by the cyber attack. The note from the ransomware group continues by stating the price for the universal decryptor, setting the figure at $ 70 million in BTC.
On July 2, Huntress Labs , an American company in the field of cybersecurity, was able to record and analyze the early stages of the infection on Kaseya VSA servers. Huntress Labs claims that REvil successfully exploited an SQL injection vulnerability by using an authentication bypass to gain access to VSA servers.
While computer analysts around the world make their expertise available to the community, REvil has been trying to do business directly with some of its victims in the last few hours.
This is the case of a company operating in the field of information technology which has agreed with REvil the price of the redemption to obtain a decryptor capable of decrypting the entire IT network.
SuspectFile.com will not reveal the name of this company affected by the "Kaseya data breach", but will limit itself to providing only some details of the chat useful to understand what are the mechanisms that are intertwined during all phases of a conversation between a victim and the own aggressor.
From the data collected it would appear that the person who physically wrote the messages in the chat is not a negotiator, but rather an employee of the company supported by their IT department.
The chat opens with the first message from the victim asking REvil how the decryption of their files is proceeding. The ransomware group replies that there was no decryption because either the ransom was not paid, or because the victim connected using two different ransom notes, therefore to two different chats.
The victim reports to REvil that the first chat window had closed and asks if he is chatting with the same person he was chatting with initially, adding that the press was aware that the cyber attack had affected their company as well. REvil replies to reopen the first chat, pointing out that in the chat he was writing in at the time no one had paid for the decryptor. No comment that the company name had gone public.
Vittima: Hi , How Is our decryption going ?
REvil: Which one of? You did not pay for the decryptor, or you changed the chat chat
V: The chat window closed. Was it you I was speaking to earlier ?
V: The press has picked up on our infection and you said they would not hear about it
R: So open it again, in this chat no one paid for the decryptor
The victim adds
V: We are working with our internal team to see if Kaseya cyber security insuarnce will cover this. This is the reason I think the press found we were victim
At this point REvil asks for the name of his company
R:Name of your company ?
V: [Redacted] , I thought you know this ? I must have been talking to somebody else
Between the two begins the negotiation on the price of the ransom to be paid. It should be noted that the price initially fixed by REvil was equal to $ 44,999, a price that evidently referred to only one of the extensions of the encrypted files, to decrypt the entire IT network, instead, the figure of $ 550,000 was requested. During the negotiation, the price was then set at $ 225,000 in BTC.
R: 550k for all network
V: This is too much what is this based upon ?
R: About revenue, damage caused and income of the company
V: You don’t have access to our revenue or income. We have struggled through covid. It is more than we earn this year.
This is why we are hoping Kaseya insurance will cover us, but would have to wait until they would pay.
And if we cannot function then nothing can happen with money
R: We made you our offer and whether to pay or not is only your business.
The victim asks REvil for confirmation of obtaining, once the payment is complete, both decryption keys against the two different ransom notes and the promise not to be the victim of their attacks again. REvil confirms by also providing the BTC addresses on which to send the money.
V: My IT team have requested that they get the decryption key and have concerns that as we have 2 different notes that we will need 2 different keys. Can you confirm this ?
R: Of course wi will provide decryptor for all your keys
V: We have been unable to patch our Kaseya deployment and need to get some key systems working. Can you confirm that you will not reattack us.
R: Of course
V: We can send $75k today and will send $150k over next 2 days. Please supply the btc addresses
R: 3Md[Redacted]
3FE[Redacted]
3My[Redacted]
As of this writing, no funds have been deposited or withdrawn on any of the three BTC addresses.
Note: SuspectFile.com did not report the entire chat, some of the details that could have traced back to the victim's name have been omitted or not entered at all.
A point on which it is necessary to dwell is that relating to the certainty of getting your data back once the ransom has been paid. There is no certainty.
We can say instead that very often, even after the full ransom has been paid, the victim is no longer able to regain possession of their data. Paying a ransom does not equal the absolute certainty of regaining one's IT structure in the conditions prior to a cyber attack.
Another fundamental point worth dwelling on is the protection of one's name, one's privacy.
In this article we have been able to demonstrate that no group of cybercriminals protects the privacy of their victims. Within the chats we often read phrases from the criminal on duty that tended to reassure the victim:
“If you pay your name it will never be published, your privacy will be guaranteed. All your data will be deleted "
We can assure you that after months and after payments have been made, in dozens and dozens of chats still accessible now, there are data and documents that can trace the victim's name without any difficulty.
Another consideration, perhaps the most worrying one.
After the encryption of an IT system, the cyber-criminal releases some files on the victim's PCs, also called "ransom notes". Within these files we find an .onion URL and a key that allow victims to access the chats.
Originally these files are in the hands of only two subjects: the cybercriminal and the victim and by no one else.
Then asking yourself a question becomes natural.
How do these files end up in sites specialized in file analysis such as Bazaar, Triage, Virustotal…? Who actually performs the uploads?
We cannot believe it could be the victim company, for example an employee of their IT department. Just as we cannot believe that a negotiator or a member of the police force can be "hidden" behind these uploads.
So who could be the person who can benefit from all this in terms of visibility?
SuspectFile.com has always believed that samples are uploaded by cybercriminals themselves, directly or indirectly.
Last consideration on the Kaseya case.
It makes you smile, a "bitter laugh" to be honest, as Kaseya praises herself. On its website, among other things, we read
https://www.kaseya.com/products/managed-soc/ .
A customer should feel safe by reading such statements. Instead, in the last few hours they are still struggling with encrypted and unusable IT systems.
The companies affected by this cyber attack feel victimized twice, the first at the hands of a group of cyber-criminals and the second due to the objective fault of Kaseya who with these statements promised more than she could really deliver.
Kaseya VSA is remote management and monitoring software used by companies to manage their IT infrastructures. On 2 July, the REvil ransomware group used the VSA (Virtual System Administrator) as a vector to inject infected code into the computer systems of at least a thousand end customers of the Miami-based multinational.
The exact number of victims is not known at the moment, but these would include the Swedish supermarket chain Coop , the Swedish State Railways, the Norwegian Visma which operates in the field of business software - development and consultancy in the IT sector, the American Dataprise providing information technology and systems integration services to small and medium-sized enterprises primarily in the US Mid Atlantic.
REvil published a note on its blog in the Tor networks stating that over 1 million corporate IT systems are affected by the cyber attack. The note from the ransomware group continues by stating the price for the universal decryptor, setting the figure at $ 70 million in BTC.
On July 2, Huntress Labs , an American company in the field of cybersecurity, was able to record and analyze the early stages of the infection on Kaseya VSA servers. Huntress Labs claims that REvil successfully exploited an SQL injection vulnerability by using an authentication bypass to gain access to VSA servers.
While computer analysts around the world make their expertise available to the community, REvil has been trying to do business directly with some of its victims in the last few hours.
This is the case of a company operating in the field of information technology which has agreed with REvil the price of the redemption to obtain a decryptor capable of decrypting the entire IT network.
SuspectFile.com will not reveal the name of this company affected by the "Kaseya data breach", but will limit itself to providing only some details of the chat useful to understand what are the mechanisms that are intertwined during all phases of a conversation between a victim and the own aggressor.
From the data collected it would appear that the person who physically wrote the messages in the chat is not a negotiator, but rather an employee of the company supported by their IT department.
The chat opens with the first message from the victim asking REvil how the decryption of their files is proceeding. The ransomware group replies that there was no decryption because either the ransom was not paid, or because the victim connected using two different ransom notes, therefore to two different chats.
The victim reports to REvil that the first chat window had closed and asks if he is chatting with the same person he was chatting with initially, adding that the press was aware that the cyber attack had affected their company as well. REvil replies to reopen the first chat, pointing out that in the chat he was writing in at the time no one had paid for the decryptor. No comment that the company name had gone public.
Vittima: Hi , How Is our decryption going ?
REvil: Which one of? You did not pay for the decryptor, or you changed the chat chat
V: The chat window closed. Was it you I was speaking to earlier ?
V: The press has picked up on our infection and you said they would not hear about it
R: So open it again, in this chat no one paid for the decryptor
The victim adds
V: We are working with our internal team to see if Kaseya cyber security insuarnce will cover this. This is the reason I think the press found we were victim
At this point REvil asks for the name of his company
R:Name of your company ?
V: [Redacted] , I thought you know this ? I must have been talking to somebody else
Between the two begins the negotiation on the price of the ransom to be paid. It should be noted that the price initially fixed by REvil was equal to $ 44,999, a price that evidently referred to only one of the extensions of the encrypted files, to decrypt the entire IT network, instead, the figure of $ 550,000 was requested. During the negotiation, the price was then set at $ 225,000 in BTC.
R: 550k for all network
V: This is too much what is this based upon ?
R: About revenue, damage caused and income of the company
V: You don’t have access to our revenue or income. We have struggled through covid. It is more than we earn this year.
This is why we are hoping Kaseya insurance will cover us, but would have to wait until they would pay.
And if we cannot function then nothing can happen with money
R: We made you our offer and whether to pay or not is only your business.
The victim asks REvil for confirmation of obtaining, once the payment is complete, both decryption keys against the two different ransom notes and the promise not to be the victim of their attacks again. REvil confirms by also providing the BTC addresses on which to send the money.
V: My IT team have requested that they get the decryption key and have concerns that as we have 2 different notes that we will need 2 different keys. Can you confirm this ?
R: Of course wi will provide decryptor for all your keys
V: We have been unable to patch our Kaseya deployment and need to get some key systems working. Can you confirm that you will not reattack us.
R: Of course
V: We can send $75k today and will send $150k over next 2 days. Please supply the btc addresses
R: 3Md[Redacted]
3FE[Redacted]
3My[Redacted]
As of this writing, no funds have been deposited or withdrawn on any of the three BTC addresses.
Note: SuspectFile.com did not report the entire chat, some of the details that could have traced back to the victim's name have been omitted or not entered at all.
A point on which it is necessary to dwell is that relating to the certainty of getting your data back once the ransom has been paid. There is no certainty.
We can say instead that very often, even after the full ransom has been paid, the victim is no longer able to regain possession of their data. Paying a ransom does not equal the absolute certainty of regaining one's IT structure in the conditions prior to a cyber attack.
Another fundamental point worth dwelling on is the protection of one's name, one's privacy.
In this article we have been able to demonstrate that no group of cybercriminals protects the privacy of their victims. Within the chats we often read phrases from the criminal on duty that tended to reassure the victim:
“If you pay your name it will never be published, your privacy will be guaranteed. All your data will be deleted "
We can assure you that after months and after payments have been made, in dozens and dozens of chats still accessible now, there are data and documents that can trace the victim's name without any difficulty.
Another consideration, perhaps the most worrying one.
After the encryption of an IT system, the cyber-criminal releases some files on the victim's PCs, also called "ransom notes". Within these files we find an .onion URL and a key that allow victims to access the chats.
Originally these files are in the hands of only two subjects: the cybercriminal and the victim and by no one else.
Then asking yourself a question becomes natural.
How do these files end up in sites specialized in file analysis such as Bazaar, Triage, Virustotal…? Who actually performs the uploads?
We cannot believe it could be the victim company, for example an employee of their IT department. Just as we cannot believe that a negotiator or a member of the police force can be "hidden" behind these uploads.
So who could be the person who can benefit from all this in terms of visibility?
SuspectFile.com has always believed that samples are uploaded by cybercriminals themselves, directly or indirectly.
Last consideration on the Kaseya case.
It makes you smile, a "bitter laugh" to be honest, as Kaseya praises herself. On its website, among other things, we read
https://www.kaseya.com/products/managed-soc/ .
A customer should feel safe by reading such statements. Instead, in the last few hours they are still struggling with encrypted and unusable IT systems.
The companies affected by this cyber attack feel victimized twice, the first at the hands of a group of cyber-criminals and the second due to the objective fault of Kaseya who with these statements promised more than she could really deliver.
