IT NEWS

Sometimes readers ask us how to send an anonymous email or how criminals and scammers manage to send anonymous emails. Since this is not an easy question to answer, because, for starters, there are several ways to interpret the question, I’ll try to give you some information here.

Interpret the question

Sending an anonymous letter via snail-mail was easy. You forgot to add the sender address, filled out a false one, and if there was a chance the receiver could recognize you by your handwriting you used newspaper clippings to construct the sentences. And snail mail had the advantage that you could drop your message in a mailbox that gathered mails from various senders before starting the delivery process. So, not even the carrier had any way to identify the sender. The place of origin is hidden except maybe roughly by looking at the post stamp to see from what postal district the letter came. Unless the sender went through the trouble of driving halfway across the country to post the letter.

As you can see there are a few sides even to this low-tech version of an anonymous mail:

• No sender address
• False sender address
• Masking the content > encryption
• Carrier
• Origin masking

What is a spoofed email?

Since sending an email without a sender address can result in errors and will certainly raise suspicion, it is easier to spoof a sender address. Spoofing is sending an email with a false sender address. Spoofing an address is relatively simple since the Simple Mail Transfer Protocol (SMTP) does not check the information in the  “From”, “Reply to”, or “Sender” fields. The only reason it is possible to track back an email with a spoofed address is because the email headers will include the sending IP address.

So, to pull off a completely untraceable spoofed email the sender will have to use a VPN to mask their IP address or use a compromised system to send the emails from. Compromised servers are popular with people running malicious email campaigns.

How can I send and receive an encrypted email?

A very different concern is to hide the content of an email from anyone except the intended receiver. This requires some type of encryption that only the receiver can decrypt. Encrypting emails like this—known as end-to-end encryption—has historically been difficult, although the tools for achieving this kind of encryption are getting better and easier to use.

Most emails are encrypted during transmission, but they are stored in clear text when they are at rest, making them readable by third parties such as email providers. But there are some providers that provide end-to-end encryption and zero access encryption to secure emails. This means even the service provider cannot decrypt and read your emails.

If you want to have full control and not depend on a provider you will need to exchange public keys with the parties that you want to start encrypted communications with. Once you have exchanged keys, most email clients will offer you the option to encrypt emails on a per-message basis.

How can I send an email anonymously?

I wrote a blog post on how to send encrypted mails a long time ago. Some things have become considerably easier since then. Some carriers offer you the option to send end-to-end encrypted email for free. Personally I have only tried Protonmail which allows you to come up with your own email address, and even the free version is free of advertisements. You only need to provide an existing email address if you want to use that as a recovery method in case you forget your credentials. If you do not need that option the sign-up procedure is completely anonymous.

Is ProtonMail really anonymous?

Protonmail is a secure email provider that does not solicit any information from you to use the free version, as long as you don’t chose to use the recovery option. For any legitimate use case Protonmail can be considered secure and private. This is considering that for any legitimate use cases it should be enough to send an encrypted email, so that the intended receiver is the only one that can read the content of the message.

Protonmail can even be used in combination with a VPN so that even your IP address remains hidden. Unfortunately this also makes the service very popular amongst ransomware peddlers who sometimes create individual Protonmail accounts for every single victim.

Can email be traced?

Even hardened criminals make mistakes, so you should always be weary of the fact that an email you sent can be tracked back to you. On the other hand it is virtually impossible for anyone to trace back an email that was sent using all the techniques we have described above. As so often, it is wise to assume the worst possible scenario. We have seen script kiddies that thought they could use a Gmail account as a means to send anonymous emails. Maybe the receiver will not be able to trace it back, but the police certainly will, with some help from Google. If you need plausible deniability don’t put it in writing. For legitimate use we hope to have handed you some useful tips.

I have received an anonymous or spoofed email. What should I do?

How you deal with any mails you receive normally depends on the content. As with any email, it is advisable to scrutinize whether the email and the sender are who and what they claim to be. If you recognize the sender but don’t trust the content, contact the sender through other means to verify they sent it. Do not send read receipts or other confirmations that you have read the mail before you are sure you can trust the sender.

You can find some tips on how to recognize and deal with unsolicited mail in this blogpost about recognizing and disposing of malicious emails and this article about phishing. If the mail has the character of an extortion email you may find our post describing what to do when you receive an extortion email helpful. Depending on where you live it may be prudent, or even mandatory, to inform the proper authorities about any extortion attempts.

The post How to send an anonymous email appeared first on Malwarebytes Labs.

Software vendor Kaseya has been caught in the chaos of a supply-chain compromise by the REvil ransomware gang since Friday. Around 40 managed service providers (MSPs) that rely on Kaseya VSA software to administer customers’ IT—and up to 1,500 of their customers—have been stricken with the ransomware.

In response to the attack, Kaseya shutdown the SaaS version of VSA, and instructed users of its on-premises customers to do the same. Organizations that use Kaseya VSA, and their clients, have been without the administration tool since.

Yesterday, the company released a video detailing the attack and steps taken to mitigate it. It was hoping to be back up and running as soon as possible, but it seems an already cautious approach has taken on an additional helping of reserve.

A new, unscripted video has been released in the last few hours which details a delay to getting things back up and running. The original estimate for a recovery timeline appeared to be bringing the SaaS version of VSA back on Tuesday morning, with on-premises installations to follow. That then switched to today. This latest video now mentions Sunday as the most likely date for things to get moving. The reason? Security, apparently.

Security concerns

Friday’s attack was made possible by a zero-day vulnerability in the on-premises VSA platform. Since then, Victor Gevers of the Dutch Institute for Vulnerability Disclosure (DIVD) has revealed that the organization had been in a “coordinated vulnerability disclosure process” with Kaseya at the time of the attack. Fixing those is clearly top of Kaseya’s agenda before it can instruct customers to restart VSA servers.

Striking an apologetic and far less bullish tone than in his first video, the beleaguered Kaseya CEO, Fred Voccola, says the new release time is going to be “this Sunday, in the early afternoon, Eastern Standard time“. This decision, he says, is down to him alone in order to put additional layers of protection in place.

In his own words:

The reason for that is we had all the vulnerabilities that were exploited during the attack, we had them locked. We felt comfortable with the release. Some of the third-party engineers, engineering firms and companies that we’ve been working with, as well as some of our own IT people, made some suggestions to put additional layers of protection in there for things that we might not be able to foresee. This was probably the hardest decision that I’ve had to make in my career. And, we decided to pull it for an additional three and a half days, or whatever the approximate time is … to make sure that it is hardended as much as we feel we can do for our customers.

The slow, careful approach will no doubt cause some roadblocks for customers waiting on systems to be back online. However, this has to be a better alternative than something else happening because a weak spot wasn’t identified.

The company has released a Compromise Detection Tool, and created a runbook of changes Kaseya VSA customers will need to their on-premises environments to prepare for Sunday’s patch.

You can see a full up-to-date timeline of events in the Kasya supply-chain attack in our original article. We will update this as new facts emerge.

The post Kaseya update delayed for security reasons appeared first on Malwarebytes Labs.

The Malwarebytes Threat Intelligence Team recently found a malicious spam campaign making the rounds and banking on the ransomware attack that forced Kaseya to shut down its VSA service.

This is a classic example of an opportunistic attack conducted by (potentially) another threat actor/group off the back of another threat actor/group’s attack. With Kaseya being a big name in the MSP world and the company attempting to take their VSA SaaS platform off the ground, post-attack, it’s the perfect time and opportunity to also capitalize on organizations who are eagerly waiting for the hotfix that REvil exploited in the first place so they can get back to business as quickly as possible.

The email that Malwarebytes found contains both a malicious link and attachment purporting to have come from Microsoft. The link leads to the download of a file called ploader.exe while the attachment, named SecurityUpdate.exe. Both of these are Cobalt Strike payloads.

The email reads in part:

“Guys please install the update from microsoft to protect against ransomware as soon as possible. This is fixing a vulnerability in Kaseya.”

The Threat Intelligence Team at Malwarebytes also noted that the location where the payload is hosted is the same IP address used in another malspam campaign that was pushing Dridex, a known information stealer. In the past, threat actors behind Dridex campaigns were also observed using Cobalt Strike.

If you may recall, Cobalt Strike is a legitimate software that bills itself as an “adversary simulation software.” Ransomware actors, in particular, are known to abuse legitimate software and make it part of their overall malicious attack against target organizations during their big game hunting (BGH) campaigns.

If you’re a Kaseya client, you can get first-hand updates on the VSA incident here.

It goes without saying that any and all companies affected by the Kaseya ransomware attack should only get patches straight from their vendor. Links and/or attachments sent over your way, even from a trusted colleague, should be suspect until you have confirmed with your vendor of the availability of a patch and where or how to get it. Realize that this is not the first time that threat opportunists bank on attacks like what Kaseya experienced. Opportunists will show no mercy in targeting cyber attack victims multiple times as long as they get something out of it.

In this case, with the use of Cobalt Strike, these threat actors intend to also gain access to your already-compromised system possibly for further reconnaissance or to conduct a local, follow up attack.

Stay safe!

The post Malspam banks on Kaseya ransomware attack appeared first on Malwarebytes Labs.

Last week we wrote about PrintNightmare, a vulnerability that was supposed to be patched but wasn’t. After June’s Patch Tuesday, researchers found that the patch did not work in every case, most notably on modern domain controllers. Yesterday, Microsoft issued a set of out-of-band patches that sets that aims to set that right by fixing the Windows Print Spooler Remote Code Execution vulnerability listed as CVE-2021-34527.

Serious problem

For Microsoft to publish an out-of-band patch a week before July’s Patch Tuesday shows just how serious the problem is.

PrintNightmare allows a standard user on a Windows network to execute arbitrary code on an affected machine, and to elevate their privileges as far as domain admin, by feeding a vulnerable machine a malicious printer driver. The problem was exacerbated by confusion around whether PrintNightmare was a known, patched problem or an entirely new problem. In the event it turned out to be a bit of both.

Last week the Cybersecurity and Infrastructure Security Agency (CISA) urged administrators to disable the Windows Print Spooler service in domain controllers and systems that don’t print.

However, the installation of the Domain Controller (DC) role adds a thread to the spooler service that is responsible for removing stale print queue objects. If the spooler service is not running on at least one domain controller in each site, then Active Directory has no means to remove old queues that no longer exist.

So, many organizations were forced to keep the Print Spooler service enabled on some domain controllers, leaving them at risk to attacks using this vulnerability.

Set of patches

Depending on the Windows version the patch will be offered as:

• KB5004945 for Windows 10 version 2004, version 20H1, and version 21H1
• KB5004946 for Windows 10 version 1909
• KB5004947 for Windows 10 version 1809 and Windows Server 2019
• KB5004949 for Windows 10 version 1803 which is not available yet
• KB5004950 for Windows 10 version 1507
• Older Windows versions (Windows 7 SP1, Windows 8.1 Server 2008 SP2, Windows Server 2008 R2 SP1, and Windows Server 2012 R2) will receive a security update that disallows users who are not administrators to install only signed print drivers to a print server.

Security updates have not yet been released for Windows 10 version 1607, Windows Server 2016, or Windows Server 2012, but they will also be released soon, according to Microsoft.

The updates are cumulative and contain all previous fixes as well as protections for CVE-2021-1675.

Not a complete fix

It is important to note that these patches and updates only tackle the remote code execution (RCE) part of the vulnerability. Several researchers have confirmed that the local privilege escalation (LPE) vector still works. This means that threat actors and already active malware can still locally exploit the vulnerability to gain SYSTEM privileges.

Advice

Microsoft recommends that you install this update immediately on all supported Windows client and server operating systems, starting with devices that currently host the print server role. You also have the option to configure the RestrictDriverInstallationToAdministrators registry setting to prevent non-administrators from installing signed printer drivers on a print server. See KB5005010 for more details.

“The attack vector and protections in CVE-2021-34527 reside in the code path that installs a printer driver to a Server. The workflow used to install a printer driver from a trusted print server on a client computer uses a different path. In summary, protections in CVE-2021-34527 including the RestrictDriverInstallationToAdministrators registry key do not impact this scenario.”

CISA encourages users and administrators to review the Microsoft Security Updates as well as CERT/CC Vulnerability Note VU #383432 and apply the necessary updates or workarounds.

Impact of the updates

So, the vulnerability lies in the normal procedure that allows users to install a printer driver on a server. A printer driver is in essence an executable like any other. And allowing users to install an executable of their choice is asking for problems. Especially combined with a privilege escalation vulnerability that anyone can use to act with SYSTEM privileges. The updates, patches, and some of the workarounds are all designed to limit the possible executables since they need to be signed printer drivers.

For a detailed and insightful diagram that shows GPO settings and registry keys administrators can check whether their systems are vulnerable, have a look at this flow chart diagram, courtesy of @gentilkiwi.

The post Patch now! Emergency fix for PrintNightmare released by Microsoft appeared first on Malwarebytes Labs.

Messages placed directly in or around games is a common hack technique. It can be used for trolling, phishing, scams, or anything else the message-placer can think of. Messages can also be placed in games for the purposes of advertising but that’s a tale for a different day.

Recently, players of Apex Legends have found themselves blocked from playing the game, thanks to said message placement. The multiplayer title had server playlists switched out for commentary on the state of Titanfall. This is an older game made by the same developers, Respawn Entertainment.

Levelling up a pyrrhic victory

Fans have complained for a while now that Titanfall has become unplayable due to hacks and cheaters. As such, this message – “Save Titanfall, TF1 is being attacked so is Apex” gave the same treatment to Apex Legends that Titanfall has been plagued by. Can’t play one game? Sorry, then you can’t play this game over here either. A sort of mutually assured destruction played out in games over screens.

Game developers Respawn have come out all digital guns blazing, claiming the attacks “achieved nothing of value”. This is because the messages referenced a campaign to “save” Titanfall which they were already aware of. Besides the extra work for the devs and a ruined weekend, the biggest reputation hit belongs to the Save Titanfall campaign. They’ve had to place a message at the top of their site which reads

IMPORTANT MESSAGE: This website, nor the Discord servers listed below, are in no way associated with the recent Apex Legends hack.

Plugging the DDoS gap in gaming

Ouch. DDoS attacks in video game land have been around forever. As the Respawn dev points out, solving such problems in gaming environments isn’t easy. Being locked out of multiplayer only games isn’t something the players can fix, so all eyes will be on the dev team to see what they can do about the current, occasional lack of a state of play.

It’s possible more antics will take place in Apex land until such time as Titanfall is back to full health, so gamers should be on their guard.

The post Game over: Apex Legends players locked out by protest message appeared first on Malwarebytes Labs.

Only rarely do companies allow us a look inside their organization while they are recovering from a ransomware attack. Many find it more convenient to keep a low profile or to be secretive.

A positive exception to this is found in the Dutch managed service provider (MSP) VelzArt, one of the many unfortunate victims of Friday’s enormous, cascading supply-chain attack on Kaseya. The attack used a zero-day vulnerability to create a malicious Kasaya VSA update, which spread REvil ransomware to some of the MSPs that use it, and then on to the customers of those MSPs.

Instead of avoiding the limelight, VelzArt has blogged meticulously since Friday about how it and its customers were affected, and the steps it has taken to get them up and running.

VelzArt offers its customers a broad spectrum of ICT solutions, delivered using remote administration tools. One of those tools is Kaseya VSA. The company writes that it was in the process of switching to another remote administration platform at the time of the attack, but Kaseya software was still installed on some customers’ systems. Since Friday it has been working to recover those customers.

Here are five lessons we can all learn about recovering from ransomware, thanks to VelzArt’s admirable transparency.

1. Know when to communicate

Communication is key during times of crisis. VelzArt writes that after learning about the ongoing attacks in the evening of July 2, it immediately informed the customers it managed using Kaseya software by mail, phone, and newsletters. It also started the blog that became the basis for this article.

This open communication allowed it to triage more effectively. A production company that works 24/7 needs their servers more urgently in the weekend than a law firm that needs everything ready by Monday morning.

During the evening and night, VelzArt says it limited its customer contact to email, in order to prioritize actually getting the recovery procedures done. While it is understandable that anxious customers want to be kept informed, there has to be time for actually getting the work done.

2. Backups take time

Recovering from a ransomware attack normally means rebuilding everything from backups. And that makes backups a target for ransomware.

VelzArt writes that on most servers and some of the workstations, it was able to restore from backups without any major problems. However, stopping the attackers getting to the backups is only half the battle. Machines that have been attacked by ransomware may be harbouring other malware, so backups need to be loaded on to a clean machine, and that takes time: Restoring backups is not a quick fix.

VelzArt says that the servers that were taken offline to stop the attack had to be picked up from clients, checked, reinstalled, and then made ready for normal operations. The company writes that it took quite some effort to pull that off, with staff working in teams through the night. Extra power circuits had to be set up to handle the extra demand.

The company expected 70 percent of servers to be restored by the start of Tuesday. On Tuesday, they hoped to get started with gathering all the workstations that had a back-up option, and Wednesday would be the day to get the re-installed workstations back into their operational status, meaning they would get the necessary software installed, and connected to the network.

3. Help can come from unexpected places

Recovering from ransomware doesn’t just take time, it takes people, too. If you are recovering from a ransomware attack there is a good chance that you will need external help.

VelzArt writes that it worked with one customer on a trial for self-remediation. Because of a lack of information from Kaseya it was not sure how much work would be needed for every individual workstation. The company hoped that the trial would produce a method they could use with other customers.

On Sunday afternoon they asked customers to turn on their workstations, without logging in, stating that they found an automated way to restore workstations remotely. The activated workstations gave VelzArt an idea of what the impact of the attack had been. A warning was given to the customers that the reset procedure for the affected workstations would result in a total loss of local data and installed software. Basically, the system would be flattened and reinstalled.

By Monday morning the automated script it had worked out with the help of one willing company was ready to help the others.

VelzArt also noted that friendly competitors had offered to help them resolve the situation. An offer they were happy to tell their customers they had accepted, in order to speed up the recovery.

Insight from another victim

VelzArt’s unusual level of communication provides us with a rare insight in what a company has to go through when they’re recovering from a ransomware attack. Their transparency will help other victims and we wish them luck on a speedy recovery.

Although rare, there are other organizations that have gone public with the details of what it takes to recover from a ransomware attack.

In the latest episode of the Lock and Code podcast, host David Ruiz speaks to Ski Kacoroski—a system administrator with the Northshore School District in Washington state—about the immediate reaction, the planned response, and the long road to recovery from a ransomware attack. You can listen to it below, or on Apple Podcasts, Spotify, and Google Podcasts.

The post 3 things the Kaseya attack can teach us about ransomware recovery appeared first on Malwarebytes Labs.

The official YouTube channel of Kaseya, the latest organization attacked by no less than the criminals behind REvil ransomware, released a video of Fred Voccola, Kaseya’s CEO, giving a first-hand account of what happened during the attack, the facts on affected customers, and the next steps they’re taking to get clients back up and running as quickly as possible.

On Friday afternoon, the 2nd of June, Kaseya started receiving reports of “suspicious things happening,” Voccola said in the video.

“We weren’t quite sure exactly what it was, but as third parties, the community, our own monitoring customers, we started noticing some strange behaviors,” Voccola recounted in the video. “Within an hour, we immediately shut down VSA.”

The service shut down has painfully disrupted all their VSA users, but it was an easy decision to make and not without basis, Voccola said. “Our cybersecurity playbook states very clearly [that] the first thing to do is to protect and make sure anything that’s potentially dangerous doesn’t have a chance to harm multiple parties,” Voccola said.

Voccola said that, in part due to the modular nature of Kaseya’s security architecture, the company’s rapid response team—with extensive support from Homeland Security, the FBI, and the White House—managed to contain the breach to one module of IT Complete, Kaseya’s remote monitoring and management (RMM) module. The attack affected just one module of IT Complete out of the 27 modules. That module includes approximately 50 customers out of approximately 37,000 customers, Voccola said. Kaseya’s customers are primarily managed service providers (MSPs), who outsource IT services to approximately 800,000 to a 1,000,000 SMBs around the world. Kaseya believes that those SMBs directly affected by the REvil ransomware attack are between 800 to 1,500 in number.

As for what Kaseya is doing now to get the affected RMM module back up and running, Voccola gave the “incredibly conservative” timeline of “in the coming hours” today, the 6th of July.

If you’re a Kaseya client, you can get first-hand updates on the VSA incident here.

Voccola also directly addressed the 50 customers who were breached: “We hope this message does not sound like we’re diminishing it by saying less than 0.01 percentage of our customers were breached… We are here to help.”

Kaseya’s CEO also imparted some advice for other organizations.

“When something happens, it’s how prepared the organization was, how quickly the organization is to admit something happened and not try to it,” Voccola said. “Seek help from people and try to get focus on the customers and get information out there.”

The post Kaseya CEO: “The impact of this incredibly sophisticated attack is very minimal” appeared first on Malwarebytes Labs.

At 11:37 pm on the night of September 20, 2019, cybercriminals launched a ransomware attack against Northshore School District in Washington state. Early the next morning, Northshore systems administrator Ski Kacoroski arrived on scene. As Kacoroski soon found out, he and his team were on a race against time—the ransomware actively spreading across servers holding data necessary for day-to-day operations. And importantly, in just four days, the school district needed—by law—to pay its reachers. That was now at risk.

Today, we speak to Kacoroski about the immediate reaction, the planned response, and the eventual recovery from a ransomware attack. Tune in to hear Kacoroski’s story—and any lessons learned—on the latest episode of Lock and Code, with host David Ruiz.

You can also find us on Apple Podcasts, Spotify, and Google Podcasts, plus whatever preferred podcast platform you use.

The post Racing against a real-life ransomware attack, with Ski Kacoroski: Lock and Code S02E12 appeared first on Malwarebytes Labs.

Last week on Malwarebytes Labs:

• Is it Game Over for VR Advergaming?
• Lil’ skimmer, the Magecart impersonator
• What is the WireGuard VPN protocol?
• Binance receives the ban hammer from UK’s FCA
• Fired by algorithm: The future’s here and it’s a robot wearing a white collar
• Second colossal Linkedin “breach” in 3 months, almost all users affected
• Police seize DoubleVPN data, servers, and domain
• PrintNightmare 0-day can be used to take over Windows domain controllers
• SMS authentication code includes ad: A very bad idea
• Microsoft exec reveals “routine” secrecy orders from government investigators
• Beware password spraying Fancy Bears
• Shutdown Kaseya VSA servers to stop cascading REvil attack against MSPs, clients

Other cybersecurity news

• Researchers explore the insecure world of the subdomain (Source: Can i take your subdomain)
• Cyber insurance model is broken, consider banning ransomware payments (Source: The Register)
• How facial recognition solutions can safeguard the hybrid workplace (Source: Help Net Security)
• Capital One hacker faces fresh charges for 2019 hacking spree (Source: Teiss)
• HMRC-branded phishing scams surge despite protections (Source: Computer Weekly)
• Cryptomining malware hits gamers doing the dodgy (Source: Pickr)
• Confessions of a famous fraudster: how and why social engineering scams work (Source: Security Intelligence)
• IoT risks are real, and this is how you mitigate them (Source: IT Pro)
• Reuters: Israeli charged in global hacker for hire scheme wants plea deal (Source: Reuters)

Stay safe, everyone!

The post A week in security (June 28 – June 4) appeared first on Malwarebytes Labs.

A severe ransomware attack reportedly taking place now against the popular Remote Monitoring and Management software tool Kaseya VSA has forced Kaseya into offering urgent advice: Shutdown VSA servers immediately.

“We are experiencing a potential attack against the VSA that has been limited to a small
number of on-premise customers only as of 2:00 PM EDT today,” Kaseya wrote on Friday afternoon.

“We are in the process of investigating the root cause of the incident with an abundance of caution but we recommend that you IMMEDIATELY shutdown your VSA server until you receive further notice from us.

It’s critical that you do this immediately, because one of the first things the attacker does is shutoff administrative access to the VSA.”

The attack is reportedly delivered through a Kaseya VSA auto-update that maliciously pushes the Revil ransomware onto victims’ machines. Kaseya is a popular software developed for Managed Service Providers that provide remote IT support and cybersecurity services for small- to medium-sized businesses that often cannot afford to hire full-time IT employees, due to their limited size or budgets.

Complicating the attack is the fact that, according to cybersecurity researcher Kevin Beaumont, the malicious update carries administrator rights for clients’ systems, “which means that Managed Service Providers who are infected then infect their client’s systems.”

For a company that says it has 40,000 customers, this could be a disaster.

During the attack, the cybercriminals reportedly shut off administrative access to VSA, and several protections within Microsoft Defender are disabled, including Real-Time Monitoring, Script Scanning, and Controlled Folder Access.

A screenshot from Malwarebytes reveals a ransom note delivered to an infected Windows machine. In the note, attackers warn:

“|—=== Welcome. Again. ===—

[-] Whats HapPen? [-]

Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension 7pc78r01. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you can’t return your data (NEVER).”

Malwarebytes customers are currently protected from REvil, as shown in the screenshots below, and Malwarebytes is committed to continuing this protection. (Malwarebytes detects REvil as Sodinokibi)

We will update this post with more information as it becomes available, but the immediate guidance from Kaseya cannot be overstated: Shutdown VSA servers immediately.

Indicators of Compromise (IOCs)

Loader

df2d6ef0450660aaae62c429610b964949812df2da1c57646fc29aa51c3f031e
dc6b0e8c1e9c113f0364e1c8370060dee3fcbe25b667ddeca7623a95cd21411f
d55f983c994caa160ec63a59f6b4250fe67fb3e8c43a388aec60a4a6978e9f1e
aae6e388e774180bc3eb96dad5d5bfefd63d0eb7124d68b6991701936801f1c7
66490c59cb9630b53fa3fa7125b5c9511afde38edab4459065938c1974229ca8
81d0c71f8b282076cd93fb6bb5bfd3932422d033109e2c92572fc49e4abc2471
1fe9b489c25bb23b04d9996e8107671edee69bd6f6def2fe7ece38a0fb35f98e

REvil/Sodinoki DLL

d8353cfc5e696d3ae402c7c70565c1e7f31e49bcf74a6e12e5ab044f306b4b20
d5ce6f36a06b0dc8ce8e7e2c9a53e66094c2adfc93cfac61dd09efe9ac45a75f
cc0cdc6a3d843e22c98170713abf1d6ae06e8b5e34ed06ac3159adafe85e3bd6
0496ca57e387b10dfdac809de8a4e039f68e8d66535d5d19ec76d39f7d0a4402
8e846ed965bbc0270a6f58c5818e039ef2fb78def4d2bf82348ca786ea0cea4f
8dd620d9aeb35960bb766458c8890ede987c33d239cf730f93fe49d90ae759dd

The post Shutdown Kaseya VSA servers now amidst cascading REvil attack against MSPs, clients appeared first on Malwarebytes Labs.