Resources for DFIR Professionals Responding to the REvil Ransomware Kaseya Supply Chain Attack
Updated: Jul 5
Yesterday Sophos and Huntress Labs identified that Kaseya, a remote management provider popular with MSPs, was compromised to deploy a supply chain ransomware attack. A large number of organisations were impacted, including temporarily shutting 800 stores at the CoOp supermarket chain in Sweden.
We have provided a number of resources on our Github that may help Digital Forensics and Incident Response experts responding to these attacks over the weekend:
Decompiled Malware Samples (via retdec)
We've also included a quick forensic triage of an infected system below with Cado Response (you can grab a demo here!).
This is not the first time a REVil operator has managed to compromise large sets of MSPs, as shown in sinkhole data from KPN:
Figure 1: Previous REvil affiliate attacks against MSPs, from KPN
However this time the scope is particularly bad as Kaseya provides software/access to a number of MSPs - who in turn supply services/access to potentially thousands of businesses.
We have sinkholed some of the available domains from the REvil configuration and are seeing a relatively small number of infected machines connect in (see below). It is likely the peak of this particular attack has passed and the connections include both sandbox machines and other campaigns:
Figure 2: Infected machines connecting in to our sinkhole
Indicators of Compromise
With thanks to Sophos for the most complete listing:
C:\Program Files (x86)\Kaseya\...\AgentMon.exe
(Legitimate Kaseya binary used for remote execution)
(Not on VirusTotal)
(Primary malicious REvil Binary, drops legit \msmpeng.exe and malicious side-loaded dll mpsvc.dll below)
(Non-Malicious MS Defender Binary used for side loading)
Access from 18[.]223.199.234 and 161.35.239[.]148 to:
Creation on the VSA server of:
Additional indicators are available:
REVil Configuration File
References and Other Reporting
Forensic Triage Analysis
We infected a system with a copy of the REvil malware and performed an automated forensic capture and analysis with Cado Response. You can download a full disk image of the system from our GitHub repository.
There are a number of clear markers for forensic analysts to look for on infected systems below.
The ransomware is well detected by anti-virus and you will likely find both logs of anti-virus detections (below) and the malware itself detected by Yara rules (also below) during analysis:
However - Kaseya recommends certain folder paths be excluded from detection. Not coincidentally, this includes the folder that REvil is executed from (c:\kworking) - so anti-virus detections may be missing.
The primary malicious binary clearly contains the known-bad certificate:
And as expected the malicious files are dropped in the Windows and Kworking directories:
And outside of the malware itself, we can see the PowerShell commands used to deploy the malware:
If you would like to test out Cado Response yourself you can grab a demo here.