In cybersecurity history, USA Independence Day weekend in 2021 is not known for the restful, relaxing summer celebrations you typically associate with the 4th of July.

Instead, it’s remembered as the weekend of the infamous Kaseya ransomware attack.

It was ransomware with a difference, and the difference was the ultimate scale of the attack and the size of the side effects.

In a typical attack on Company X, vital files and data on X’s network are scrambled by cybercriminals, disrupting X’s computer systems – often including laptops, servers and network services – and abruptly halting business operations.

Next comes a blackmail demand for Y dollars in Bitcoin, where Y is often in the hundreds of thousands, and sometimes millions: “Give us the money and we’ll get your data back for you.”

Paying gets you nothing more than a promise

Of course, the criminals don’t actually do the tedious work of recovering the files they just encrypted (and even if they offered to put things for you, you certainly wouldn’t want them back on your network of anyway ).

The huge sum you pay doesn’t actually get your data back – it just offers you the promise to get it back, providing the passwords needed to decrypt your ruined files.

That’s why the Sophos 2020 State of Ransomware Survey told us that the median cost of recovering from a ransomware attack among organizations that had their own backups and didn’t need to spend money on it. extortion to crooks, was nearly $750,000…

…while the median cost for those who had no choice but to pay (or perhaps who thought paying the scammers would somehow bypass the traditional complexity of recovery after sinister) was almost exactly double, at just under $1,500,000.

You pay the ransom simply for the to hope to recover data that you would otherwise lose forever, not to complete the recovery process.

Another vital, and even more depressing, statistic to remember comes from the Sophos 2021 Ransomware report, where our survey found that around 1/3 of respondents were affected, and around 1/3 ended up having to pay money. to crooks.

(Thanks to the 2020 data, of course, victims would know in advance that paying would almost certainly be more expensive, so we assume they simply had no choice, faced with the dilemma: “Dealing with the devil, or watch the whole company implode and cost everyone their jobs”.)

Here we found that of those who paid for decryption passwords, half of them lost at least a third of their data anyway.

More dramatically, a third of them lost at least half of their data, and 4% of doubly damaged respondents paid and got nothing back at all – zero, zero, nothing, not a single sausage:

Kaseya’s Megaransom

Unfortunately, the Kaseya incident did not follow the usual pattern we described above, where Company X is attacked, Company X’s files are scrambled, and Company X is blackmailed.

Kaseya manufactures and sells IT management tools that can, among other things, distribute software updates.

In this case, the cybercriminals used Kaseya’s software in what is called a supply chain attack.

In other words, the crooks used Kaseya’s infrastructure to spread and detonate ransomware infections on Kaseya’s customer computers, combining two security vulnerabilities to spread their malware much wider than if they had attacked Kaseya alone.

The first security flaw was CVE-2021-30116, a previously unknown bug that allowed an attacker without a password to access Kaseya’s system administration tools and inject unauthorized programs into the next set updates sent to customers. The second security flaw was that the criminals deliberately installed their malicious “update” in a special directory on clients deliberately designated by Kaseya as exempt from local malware scanning. As a result, victims unknowingly downloaded corrupt Kaseya “updates” and then unknowingly installed malware on their own computers in a location where their existing security software had been instructed not to look. .

In the end, it seems the criminals were too successful, with so many victims affected that the attackers apparently decided it wasn’t worth trying to blackmail them one by one.

As we said at the time:

In the end, it was almost as if the gang behind Kaseya’s infiltration had done too well, attracting concerted attention in the wake of the attack.

Indeed, the scammers have decided to go all-in by offering a “one size fits all” decryptor – a sort of global site license, if you will; an all-you-can-eat file unraveling buffet – for a single collective payment.

The plan might even have worked, if the criminals hadn’t set the fee at $70,000,000, but if they were serious about getting paid in full or just wanting to rub the nose of the world in a mess, we don’t we may never know. .

The alleged perpetrators identified

In this case, the wheels of justice began to turn both quickly and efficiently.

In November 2021, the US Department of Justice (DOJ) announced that it had seized more than $6 million in assets from a still-at-large Russian suspect named Yevgeniy Polyanin, and that Polish authorities had arrested a suspect. Ukrainian called Yaroslav Vasinskyi when he crossed the Polish border:

Poland has an extradition treaty with the United States, and Vasinskyi has now been sent to Texas, where he made his first appearance in a US court, accused of being responsible for the Kaseya attack:

During the alleged attack on Kaseya, Vasinskyi caused the Sodinokibi/REvil malicious code to be deployed throughout the [sic] a Kaseya product that caused Kaseya production functionality to deploy REvil ransomware to “endpoints” on Kaseya customer networks. Once remote access to Kaseya endpoints was established, ransomware was executed on those computers, resulting in data encryption on computers in organizations around the world that used Kaseya software.

Thanks to the deployment of the Sodinokibi/REvil ransomware, the accused would have left electronic notes in the form of a text file on the computers of the victims. The notes included a web address leading to an open-source privacy network known as Tor, as well as a link to a publicly accessible website address that victims could visit to retrieve their files. Upon visiting either website, victims received a ransom note and provided a virtual currency address to be used to pay the ransom. If a victim pays the ransom, the accused provides the decryption key and the victim can then access their files. If a victim did not pay the ransom, the defendant usually released the victim’s stolen data or claimed to have sold the stolen data to third parties, and the victims remained unable to access their files.

Vasinskyi is charged with conspiracy to commit fraud and related activities in connection with computers, damage to protected computers and conspiracy to commit money laundering.

As the DOJ points out, in line with standard practice in its press releases, the theoretical maximum sentence the defendant faces is an absurd 115 years in prison, even though, in reality, maximum sentences are rarely handed down.

---

---