The U.S. was hit with another staggering ransomware attack over the weekend.
Kaseya, a widely used IT solutions company, was the victim of a large-scale supply chain attack. Kaseya announced on Monday that all its VSA SaaS servers will remain in maintenance mode.
Expel, a managed detection and response firm, states the following in a blog post:
“After notifying our customers of the situation, Expel deployed ‘be on the lookout”‘ detections – where customers are immediately notified of a detection – for the two known malicious hashes, and for the known file paths the attackers have been reportedly using. Expel has also begun pushing out more generalized logic rules to catch variants of these attack vectors.”
The technical details are as follows:
REvil ransomware encryptor is dropped at c:\kworking\agent.exe
Further files are dropped in c:\windows:
Here’s what companies should do to protect themselves, according to the authors (Evan Reichard, Matthew Berninger, Ray Pugh, Ben Brigida and Jon Hencinski):
Finally, incorporate these learnings into your detection strategy, the post concludes.