Skip to main contentOPEN NAVIGATION MENUWIREDHow REvil Ransomware Took Out Thousands of Business at OnceSECURITYPOLITICSGEARTHE BIG STORYBUSINESSSCIENCECULTUREIDEASPRIME DAYMERCHSIGN INSEARCHSecurityPoliticsGearThe Big StoryBusinessScienceCultureIdeasPrime DayMerchPodcastsVideoNewslettersMagazineTravelSteven Levy's Plaintext ColumnWIRED Classics from the ArchiveEventsWIRED InsiderWIRED ConsultingJobsCouponsLILY HAY NEWMANSECURITYJUL 4, 2021 7:34 PMHow REvil Ransomware Took Out Thousands of Business at OnceMore details have come to light as to how the notorious hacking group pulled off its unprecedented attack.coop ransomeware exteriorThe Swedish Coop grocery chain closed hundreds of storefronts after being caught up in a broader REvil ransomware wave.PHOTOGRAPH: STEPHAN SCHULZ/GETTY IMAGESA MASSIVE CHAIN reaction on Friday infected at least hundreds and likely thousands of businesses worldwide with ransomware, including a railway, pharmacy chain, and hundreds of storefronts of Sweden's Coop grocery store brand. Carried out by the notorious Russia-based REvil criminal gang, the attack is a watershed moment, a combination of ransomware and a so-called supply chain attack. Now, it's becoming more clear how exactly they pulled it off.Some details were known as early as Friday afternoon. To propagate its ransomware out to an untold number of targets, the attackers found a vulnerability in the update mechanism used by the IT services company Kaseya. The firm develops software used to manage business networks and devices, and then sells those tools to other companies called “managed service providers.” MSPs, in turn, contract with small and medium businesses or any institution that doesn’t want to manage its IT infrastructure itself. By seeding its ransomware using Kaseya’s trusted distribution mechanism, attackers could infect MSP’s Kaseya infrastructure and then watch the dominos fall as those MSPs inadvertently distributed malware to their customers.But by Sunday, security researchers had pieced together critical details about how the attackers both obtained and took advantage of that initial foothold.“What’s interesting about this and concerning is that REvil used trusted applications in every instance to get access to targets. Usually ransomware actors need multiple vulnerabilities at different stages to do that or time on the network to uncover administrator passwords,” says Sophos senior threat researcher Sean Gallagher. Sophos published new findings related to the attack on Sunday. “This is a step above what ransomware attacks usually look like.”Trust ExerciseThe attack hinged on exploiting an initial vulnerability in Kaseya’s automated update system for its remote monitoring and management system known as VSA. It’s still unclear whether attackers exploited the vulnerability all the way up the chain in Kaseya’s own central systems. What seems more likely is that they exploited individual VSA servers managed by MSPs and pushed the malicious “updates” out from there to MSP customers. REvil appears to have tailored the ransom demands—and even some of their attack techniques—based on the target, rather than taking a one-size-fits-all approach. The timing of the attack was especially unfortunate because security researchers had already identified the underlying vulnerability in the Kaseya update system. Wietse Boonstra of the Dutch Institute for Vulnerability Disclosure was working with Kaseya to develop and test patches for the flaw. The fixes were close to being released, but hadn’t yet been deployed by the time REvil struck.“We did our best and Kaseya did their best,” says Victor Gevers, a researcher from the Dutch Institute for Vulnerability Disclosure. “It is an easy-to-find vulnerability, I think. This is most likely the reason why the attackers won the end sprint.”Attackers exploited the vulnerability to distribute a malicious payload to vulnerable VSA servers. But that meant they also hit, by extension, the VSA agent applications running on the Windows devices of the customers of those MSPs. VSA “working folders” typically operate as a trusted walled garden within those machines, which means malware scanners and other security tools are instructed to ignore whatever they're doing—providing valuable cover to the hackers who had compromised them.MOST POPULARWIREDPriscila, Queen of the Rideshare MafiaTHE BIG STORYPriscila, Queen of the Rideshare MafiaBY LAUREN SMILEY, WIREDWIREDTrump Shooting Conspiracies Are Coming From Every DirectionPOLITICSTrump Shooting Conspiracies Are Coming From Every DirectionBY DAVID GILBERT, WIREDWIREDFar-Right Extremists Call for Violence and War After Trump ShootingPOLITICSFar-Right Extremists Call for Violence and War After Trump ShootingBY DAVID GILBERT, WIREDWIREDAT&T Paid a Hacker $370,000 to Delete Stolen Phone RecordsSECURITYAT&T Paid a Hacker $370,000 to Delete Stolen Phone RecordsBY KIM ZETTER, WIREDOnce deposited, the malware then ran a series of commands to hide the malicious activity from Microsoft Defender, the malware-scanning tool built into Windows. Finally, the malware instructed the Kesaya update process to run a legitimate but outdated and expired version of Microsoft’s Antimalware Service, a component of Windows Defender. Attackers can manipulate this outmoded version to “sideload” malicious code, sneaking it past Windows Defender the way Luke Skywalker can sneak past stormtroopers if he's wearing their armor. From there, the malware began encrypting files on the victim's machine. It even took steps to make it harder for victims to recover from data backups.Gevers says that in the past two days the number of VSA servers accessible on the open internet has dropped from 2,200 to less than 140, as MSPs scramble to follow Kesaya's advice and take them offline.“Although the scale of this incident may make it so that we are unable to respond to each victim individually, all information we receive will be useful in countering this threat,” the FBI said in a statement on Sunday.No End in SightKaseya has been releasing regular updates. “Our efforts have shifted from root-cause analysis and mitigating the vulnerability to beginning the execution of our service recovery plan,” the company said on Sunday afternoon. The company had still not reinstated its cloud-based service—seemingly unaffected by the attack—as of Sunday evening.Organizations often contract with MSPs because they know that they don’t have the expertise or resources to oversee their networks and infrastructure themselves. The risk, though, is that trusted service providers themselves could then be targeted and endanger all of their customers downstream.“For smaller or insufficiently resourced organizations it sometimes makes sense to offload the heavy lifting to the experts,” says Kenneth White, founder of the Open Crypto Audit Project. “But that trust brings with it an obligation to have the most stringent defenses and detection possible by the service provider, because they control the crown jewels, literally the keys to the kingdom. It's breathtaking, really.”As to why REvil attackers would continue escalating their tactics in such a dramatic way after calling so much attention to themselves with recent high profile incidents like hitting the global meat supplier JBS, researchers say it’s important to remember REvil’s business model. The actors don’t work alone, but license their ransomware to a network of affiliates who run their own operations and then simply give REvil a cut.“It’s a mistake to think of this in terms of REvil alone—it’s an affiliate actor over which the core REvil team will have limited control,” says Brett Callow, a threat analyst at the antivirus firm Emsisoft. He's not optimistic that the escalations will stop anytime soon. “How much money is too much?"More Great WIRED Stories📩 The latest on tech, science, and more: Get our newsletters!How fringe stem cell treatments won far-right alliesThe race to put silk in nearly everythingHow to keep your browser extensions safeOregon's buckled roads are warning signsDo EMF blockers actually protect you? We asked experts👁️ Explore AI like never before with our new database🎮 WIRED Games: Get the latest tips, reviews, and more🏃🏽♀️ Want the best tools to get healthy? Check out our Gear team’s picks for the best fitness trackers, running gear (including shoes and socks), and best headphonesLily Hay Newman is a senior writer at WIRED focused on information security, digital privacy, and hacking. She previously worked as a technology reporter at Slate magazine and was the staff writer for Future Tense, a publication and project of Slate, the New America Foundation, and Arizona State University. Additionally... Read moreSENIOR WRITERTOPICSRANSOMWAREHACKINGMALWAREREAD MOREAmazon-Powered AI Cameras Used to Detect Emotions of Unwitting UK Train PassengersCCTV cameras and AI are being combined to monitor crowds, detect bike thefts, and spot trespassers.MATT BURGESSWar Crime Prosecutions Enter a New Digital AgeA custom platform developed by SITU Research aided the International Criminal Court’s prosecution in a war crimes trial for the first time. It could change how justice is enacted on an international scale.VITTORIA ELLIOTTHow to Spot a Business Email Compromise ScamIn this common email scam, a criminal pretending to be your boss or coworker emails you asking for a favor involving money. Here’s what do to when a bad actor lands in your inbox.JUSTIN POTQuora’s Chatbot Platform Poe Allows Users to Download Paywalled Articles on DemandWIRED was able to download stories from publishers like The New York Times and The Atlantic using Poe’s Assistant bot. One expert calls it “prima facie copyright infringement,” which Quora disputes.TIM MARCHMANThe $11 Billion Marketplace Enabling the Crypto Scam EconomyDeepfake scam services. Victim data. Electrified shackles for human trafficking. Crypto tracing firm Elliptic found all were available for sale on an online marketplace linked to Cambodia’s ruling family.ANDY GREENBERGNotorious Hacker Kingpin ‘Tank’ Is Finally Going to PrisonThe cybercrime boss, who helped lead the prolific Zeus malware gang and was on the FBI’s “most wanted” list for years, has been sentenced to 18 years and ordered to pay more than $73 million.MATT BURGESSUS Senators Secretly Work to Block Safeguards Against Surveillance AbuseSenator Mark Warner is trying to pass new limits on when the government can wiretap Americans. At least two senators are quietly trying to stop him.DELL CAMERONAT&T Paid a Hacker $370,000 to Delete Stolen Phone RecordsA security researcher who assisted with the deal says he believes the only copy of the complete dataset of call and text records of “nearly all” AT&T customers has been wiped—but some risks may remain.KIM ZETTERWIREDWIRED is where tomorrow is realized. It is the essential source of information and ideas that make sense of a world in constant transformation. The WIRED conversation illuminates how technology is changing every aspect of our lives—from culture to business, science to design. The breakthroughs and innovations that we uncover lead to new ways of thinking, new connections, and new industries.MORE FROM WIREDSubscribeNewslettersFAQWIRED StaffEditorial StandardsArchiveRSSAccessibility HelpPrime DayREVIEWS AND GUIDESReviewsBuying GuidesMattressesElectric BikesFitness TrackersStreaming GuidesCouponsSubmit an OfferBecome a PartnerCoupons ContactCode GuaranteeAdvertiseContact UsCustomer CareJobsPress CenterCondé Nast StoreUser AgreementPrivacy PolicyYour California Privacy Rights© 2024 Condé Nast. All rights reserved. WIRED may earn a portion of sales from products that are purchased through our site as part of our Affiliate Partnerships with retailers. The material on this site may not be reproduced, distributed, transmitted, cached or otherwise used, except with the prior written permission of Condé Nast. Ad ChoicesYOUR PRIVACY CHOICES