How REvil Ransomware Took Out Thousands of Business at Once
A massive chain reaction on Friday infected at least hundreds and likely thousands of businesses worldwide with ransomware, including a railway, pharmacy chain, and hundreds of storefronts of Sweden's Coop grocery store brand. Carried out by the notorious Russia-based REvil criminal gang, the attack is a watershed moment, a combination of ransomware and a so-called supply chain attack. Now, it's becoming more clear how exactly they pulled it off.
Some details were known as early as Friday afternoon. To propagate its ransomware out to an untold number of targets, the attackers found a vulnerability in the update mechanism used by the IT services company Kaseya. The firm develops software used to manage business networks and devices, and then sells those tools to other companies called “managed service providers.” MSPs, in turn, contract with small and medium businesses or any institution that doesn’t want to manage its IT infrastructure itself. By seeding its ransomware using Kaseya’s trusted distribution mechanism, attackers could infect MSP’s Kaseya infrastructure and then watch the dominos fall as those MSPs inadvertently distributed malware to their customers.
But by Sunday, security researchers had pieced together critical details about how the attackers both obtained and took advantage of that initial foothold.
.png)
