The name “Kaseya” has become one of the biggest words in ransomware infamy.
Cybercriminals penetrated the IT management business Kaseya earlier this year and used the company’s own remote management tools to wreak simultaneous ransomware havoc across its customer base.
Unfortunately for the many victims of the attack, Kaseya’s software required customers to designate a specific area on their hard disks as exempt from anti-malware scanning.
The reason, we’re guessing, is that someone decided that a staging directory for collecting and distributing software updates, where application files would be temporarily stored as data but not executed as programs, didn’t need to be protected as strongly as the rest of the computer.
After all, why scan the files over and over again while they’re merely being downloaded, shuffled, organised and packaged for delivery, instead of waiting to do a final scan only of those files that ultimately get used?
The problem with anti-malware “exclusion zones” of this sort, however, is that they become a perfect hiding place for well-informed crooks, because rogue code that’s secretly injected into the unprotected area can be launched without generating any of the the usual alarms.
Went too well…
In the end, it almost felt as though the gang behind the Kaseya infiltration succeeed too well, drawing concerted attention in the aftermath of the attack.
Indeed, the crooks decided to go all in by offering a “one size fits all” decryptor – a sort of global site licence, if you like; an all-you-can-eat file unscrambling buffet – for a one-off collective payment.
The plan might even have worked, if the criminals hadn’t set the fee at a jaw-dropping $70,000,000, though whether they seriously hoped to get paid in full, or simply wanted to rub the world’s noses in the mess, we may never know.
The ultimate lesson, however, seems to be that you rub the noses of US law enforcement agencies, of Europol, Eurojust and Interpol, and of investigators from at least Romania, Canada, The Netherlands, Poland, Australia, Germany, Switzerland, Ukraine and the United Kingdom…
…at your own risk.
We’re saying that because a US Department of Justice (DOJ) press release has just announced the arrest of a Ukrainian suspect, 22, allegedly one of the REvil ransomware operators behind the Kaseya attack.
The DOJ also seized more than $6,000,000 in assets that it describes as “traceable to alleged ransom payments received by […] a Russian national, who is also charged with conducting […] REvil ransomware attacks against multiple victims, including businesses and government entities [in the USA in 2019]”.
That Russian suspect, slightly older at 27, is still at large.
In a parallel report, Europol says that a further five REvil suspects have been picked up over the past week in Romania, saying that “the arrested affiliates asked for more than EUR 200 million in ransom”.
Additionally, Europol notes that South Korean police nabbed three more ransomware “affiliates” in February, April and October this year, and law enforcement in Kuwait arrested a further ransomware suspect earlier this month.
Astute readers will remember seeing Korean police observers in a Ukrainian cyberpolice arrest video earlier this year – the one where a BFG (Big Fat Grinder) was used to open a door that the crooks wouldn’t.
What next?
As we wondered last week, when Europol announced a big forensic swoop on 12 people allegedly active in and around the ransomware scene – from the penetration teams who break in at the start to the money mules who launder the ill-gotten cryptocoins at the end…
…perhaps the worm is indeed beginning to turn on the ransomware scene?
Learn more about Sophos Managed Threat Response here:
Sophos MTR – Expert Led Response ▶
24/7 threat hunting, detection, and response ▶