Recent ransomware attacks have brought to the attention of organisations that there is an increasing need to improve their systems and learn to implement suitable security measures at the necessary time.
This can be observed by looking into a recent attack through the REvil ransomware. Software provider Kaseya made news earlier this month when the REvil ransomware outbreak was attributed to a weakness in its Virtual System Administrator (VSA) programme.
Assaults using ransomware are increasing globally, with REvil attacks being the most prevalent. This year's IBM X-Force Threat Intelligence Index estimates that the REvil ransomware's creators made at least $123 million in 2020 and took almost 21.6 gigabytes of data.
On-premise servers set up by Kaseya frequently host the malware utilised in this assault, which software-managed service providers (MSPs) employ to maintain customer environments on their behalf. The subsequent ransomware assaults hit over 1,500 firms after their systems were hacked using a zero-day exploit.
### WHAT IS REvil?
Ransomware Evil, sometimes known as REvil, is a threat organisation whose headquarters are allegedly in Russia. The gang is responsible for a number of ransomware assaults, some of which have demanded substantial payments from prominent companies. REvil is renowned for asking for large ransom payments, frequently in the millions of dollars.
REvil also has two more intriguing qualities.
First, the gang uses a ransomware-as-a-service (RaaS) business model in which affiliates get infrastructure and malware in return for a share of the money collected in ransoms. The REvil organisation primarily concentrates on developing and maintaining its infrastructure and software, while its affiliates are in charge of choosing targets and carrying out assaults.
Second, REvil doesn't just concentrate on encrypting its victims' data. The organisation frequently starts attacks by stealing confidential information, only to encrypt the environment later. This strategy offers two chances for ransom:
· A trade-off for REvil not posting private information on its blog.
· A trade-in of the decryption key for the ability to access encrypted data.
### WHAT HAPPENED TO KASEYA?
On July 2, a REvil affiliate attacked over 5,000 targets across 22 countries with a ransomware campaign that succeeded in breaching almost 60 MSPs. The Kaseya on-premise servers used by its MSP clients to host internet-connected instances of the VSA software were the focus of the assault.
The attack used zero-day flaws that Kaseya was aware of since seven were disclosed by the Dutch Institute for Vulnerability Disclosure (DIVD) via Kaseya's Vulnerability Disclosure Program in April (VDP). Three of those vulnerabilities remained open, while four have already been addressed.
One of the remaining flaws enabled the affiliate of REvil to go through Kaseya's authentication and access the VSA software of an MSP. The REvil ransomware was then introduced into the environments of the MSP's clients by the attacker using the software's privileged access.
Organisations should take a number of crucial measures to safeguard themselves from ransomware.
Most prominently, Ensure that all crucial systems and information are backed up securely and offsite. To swiftly find and fix known vulnerabilities in software assets, use good vulnerability management (VM). These actions assist companies in reducing the risk of a ransomware breach and limiting the harm a hack could result in.
The Kaseya/REvil assault, however, shows that this might not be sufficient to reduce the risk offered by contemporary ransomware strains.
Particularly REvil is renowned for exploiting a variety of methods to attack backup data. Ransomware attacks pose a significant danger to smaller firms since it may not be practicable for them to prohibit these approaches. Similar to the Kaseya assault, preventing ransomware attacks may not always be possible, especially when they target suppliers. This is because known vulnerabilities may not always be rapidly patched.
This implies that there is a lot for organisations to learn from the ransomware attacks and figure out the know-how of how to secure themselves against such attacks in the future efficiently.
BugBase is a curated marketplace for ethical hackers that helps businesses and startups set up bug bounty programs. It is India's first consolidated bug bounty platform, which assists organizations in staying safe by providing an all-in-one platform for continuous and comprehensive security testing.
Through BugBase registering and setting up your organisation’s bug bounty program is no less than a breeze. We also provide hackers and security professionals with the platform to directly get connected with organizations that have set up their bug bounty programs and get rewarded for the risks and vulnerabilities they find.
Thank you for being part of our BugFam! Stay up to date on our latest posts and hope you had a great week!
Join our discord community for regular updates and much more fun!!