Analyzing the 2021 Kaseya Ransomware Attack: Combined Spearphishing Through SonicWall SSLVPN Vulnerability
In July 2021, the IT management software company Kaseya was the victim of a ransomware cyberattack. The perpetrator of this attack was ransomware evil (REvil), an allegedly Russian-based ransomware threat group. This paper addresses the general events of the incident and the actions executed by the...
Saved in:
| Main Authors: | , , , , |
|---|---|
| Format: | Article |
| Language: | English |
| Published: |
Wiley
2025-01-01
|
| Series: | IET Information Security |
| Online Access: | http://dx.doi.org/10.1049/ise2/1655307 |
| Tags: |
Add Tag
No Tags, Be the first to tag this record!
|
| Summary: | In July 2021, the IT management software company Kaseya was the victim of a ransomware cyberattack. The perpetrator of this attack was ransomware evil (REvil), an allegedly Russian-based ransomware threat group. This paper addresses the general events of the incident and the actions executed by the constituents involved. The attack was conducted through specially crafted hypertext transfer protocol (HTTP) requests to circumvent authentication and allow hackers to upload malicious payloads through Kaseya’s virtual system administrator (VSA). The attack led to the emergency shutdown of many VSA servers and a federal investigation. REvil has had a tremendous impact performing ransomware operations, including worsening international relations between Russia and world leaders and costing considerable infrastructure damage and millions of dollars in ransom payments. We present an overview of Kaseya’s defense strategy involving customer interaction, a PowerShell script to detect compromised clients, and a cure-all decryption key that unlocks all locked files. |
|---|---|
| ISSN: | 1751-8717 |