[MART] - Daily Diary #298 - Sodinokibi Gang Targeting MSPs Through Supply-Chain Attack (cont.)

CTAS-MAT ctas-mat at appgate.com
Mon Jul 5 21:42:41 UTC 2021

I hope everyone is doing well!

Below is the entry for today.

07/05/2021 - Diary entry #298:

In our Daily Diary #297 we covered Sodinokibi's Supply-Chain attack on Kaseya VSA, a cloud based MSP platform. By infecting the on-premises MSP providers, Sodinokibi's gang could deploy their ransomware in all the managed computer fleet. It's not clear how many devices were actually affected.

REvil "Happy Blog", their deep-web wall-of-shame, is one of the monitored on our team's Ransom Tracker. Today, July 5th, they created a post on Kaseya attack. Besides claiming responsibility, they said more than a million systems were infected. They are also asking for 70 million USD in BTC to release the decryptor. According to the same post, once someone pays the decryptor will be released publicly and will be able to decrypt files of all the victims.

CISA and FBI also published a new guide for Kaseya VSA customers. They recommend system administrators to run "VSA Detection Tool", a script published on Kaseya website to search for malicious IOCs in affected machines.

Sodinokibi is one of the most dangerous threats active nowadays. In the past months, we have seen a huge increase in their operation and complexity of attacks. We believe that's motivated and financed by the last successful attacks, in which their victims decided to pay the ransom to recover the encrypted files or to avoid having private data published in their wall-of-shame.

Kind Regards,


[https://d3aafpijpsak2t.cloudfront.net/images/Signature/likedin@2x.png]<https://www.linkedin.com/company/appgate-security/>     [https://d3aafpijpsak2t.cloudfront.net/images/Signature/twitter@2x.png] <https://twitter.com/AppgateSecurity>   [https://d3aafpijpsak2t.cloudfront.net/images/Signature/youtube@2x.png] <https://www.youtube.com/channel/UC-8GvxcZbm-R3EJNl8jYjiQ>

Felipe Duarte Domingues
Security Researcher

E: felipe.duarte at appgate.com<mailto:felipe.duarte at appgate.com>
O: +55 19 98840 2509

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.immunityinc.com/pipermail/mart/attachments/20210705/197cc682/attachment.html>

More information about the MART mailing list