The REvil group has gone dark. Many believe it is either the work of a government effort or a preemptive action spurred by fear of law enforcement. But given the timing and completeness of the takedown, this is probably a conscious decision on behalf of the group, likely letting the heat die down before an almost certain return under a new name. They’ve done this before, previously operating under other brands (see: GandCrab). They may even splinter into numerous and smaller operations upon their return to help obfuscate the focus on them as a single group.
Before going dark, the Russian-linked group orchestrated a vicious supply chain attack on Kaseya, an enterprise technology firm for managed service providers with close to one million international customers. The July 2 attack encrypted the files of hundreds of businesses through the company's Virtual System Administrator platform (VSA) on-premises remote monitoring and management (RMM) product. Utilizing a zero-day vulnerability, REvil was able to launch more than 5,000 attacks on Kaseya’s MSP customer base as well as the MSPs’ own customers.
Kaseya joined a growing group of disheartened supply chain threat victims: In April, REvil breached Quanta Computer, the world’s largest laptop manufacturer and supplier to tech companies like HP, Facebook, and Google; SolarWinds was in the center of one of the largest and most sophisticated cyberattacks orchestrated against U.S. government systems in recent years, involving at least nine federal agencies; and one of the world’s largest meat processors, JBS Meats, was also hit with ransomware from REvil in May 2021.
While Kaseya has since obtained a master decryption key through undisclosed sources, the supply chain attack provides many teachable moments for the cyber community.
1. Backup, Backup, Backup
We can infer that the MSPs who were diligent about backing up their files were likely in a much better spot than the affected customers who did not. And their pocketbooks probably looked a lot healthier too; some companies were apparently asked for as much as $5 million to decrypt all the PCs in their network. The victims that failed to regularly and securely back up their files had a much weaker argument against paying up for a REvil key. While the MSPs affected in this breach likely were doing everything they could to prevent such an attack, nothing is ever guaranteed, especially as cybercriminals reach new levels of sophistication. That is why it is always in a company’s best interest to stay ahead of backups and perhaps enlist the expertise of a backup services provider. Without a secure backup, organizations are left with compromised systems and no way to continue operations, which hurts their bottom line and their future reputation. Backups should be reliable, secure, and compliant. This includes, but is not limited to, a business’s choice of data center, data encryption, at-rest and in-transit rules, and the ability to purge backups.