A massive chain reaction on Friday infected at least hundreds and likely thousands of businesses worldwide with ransomware, including a railway, pharmacy chain, and hundreds of storefronts of Sweden’s Coop grocery store brand. Carried out by the notorious Russia-based REvil criminal gang, the attack is a watershed moment, a combination of ransomware and a so-called supply chain attack. Now, it’s becoming more clear how exactly they pulled it off.

Some details were known as early as Friday afternoon. To propagate its ransomware out to an untold number of targets, the attackers found a vulnerability in the update mechanism used by the IT services company Kaseya. The firm develops software used to manage business networks and devices, and then sells those tools to other companies called “managed service providers.” MSPs, in turn, contract with small and medium businesses or any institution that doesn’t want to manage its IT infrastructure itself. By seeding its ransomware using Kaseya’s trusted distribution mechanism, attackers could infect MSP’s Kaseya infrastructure and then watch the dominos fall as those MSPs inadvertently distributed malware to their customers.

But by Sunday, security researchers had pieced together critical details about how the attackers both obtained and took advantage of that initial foothold.

“What’s interesting about this and concerning is that REvil used trusted applications in every instance to get access to targets. Usually ransomware actors need multiple vulnerabilities at different stages to do that or time on the network to uncover administrator passwords,” says Sophos senior threat researcher Sean Gallagher. Sophos published new findings related to the attack on Sunday. “This is a step above what ransomware attacks usually look like.”

Trust Exercise

The attack hinged on exploiting an initial vulnerability in Kaseya’s automated update system for its remote monitoring and management system known as VSA. It’s still unclear whether attackers exploited the vulnerability all the way up the chain in Kaseya’s own central systems. What seems more likely is that they exploited individual VSA servers managed by MSPs and pushed the malicious “updates” out from there to MSP customers. REvil appears to have tailored the ransom demands—and even some of their attack techniques—based on the target, rather than taking a one-size-fits-all approach. 

The timing of the attack was especially unfortunate because security researchers had already identified the underlying vulnerability in the Kaseya update system. Wietse Boonstra of the Dutch Institute for Vulnerability Disclosure was working with Kaseya to develop and test patches for the flaw. The fixes were close to being released, but hadn’t yet been deployed by the time REvil struck.

“We did our best and Kaseya did their best,” says Victor Gevers, a researcher from the Dutch Institute for Vulnerability Disclosure. “It is an easy-to-find vulnerability, I think. This is most likely the reason why the attackers won the end sprint.”

Attackers exploited the vulnerability to distribute a malicious payload to vulnerable VSA servers. But that meant they also hit, by extension, the VSA agent applications running on the Windows devices of the customers of those MSPs. VSA “working folders” typically operate as a trusted walled garden within those machines, which means malware scanners and other security tools are instructed to ignore whatever they’re doing—providing valuable cover to the hackers who had compromised them.

Once deposited, the malware then ran a series of commands to hide the malicious activity from Microsoft Defender, the malware-scanning tool built into Windows. Finally, the malware instructed the Kesaya update process to run a legitimate but outdated and expired version of Microsoft’s “Antimalware Service,” a component of Windows Defender. Attackers can manipulate this outmoded version to “sideload” malicious code, sneaking it past Windows Defender the way Luke Skywalker can sneak past Stormtroopers if he’s wearing their armor. From there, the malware began encrypting files on the victim’s machine. It even took steps to make it harder for victims to recover from data backups.