Another spectacular raid by Russian ransom where gangs prompted a series of interesting questions by Catalin. I thought it would be worthwhile to address them.
Here is the thread with the questions. I have inlined them below with my responses.
Some questions in regards to the Kaseya incident:
-How did REvil learn of the VSA exploit?
-Did they have access to Kaseya's vulnerability disclosure systems?
-Where they provided the exploit by a 3rd-party?
-Was that 3rd-party an RU intelligence agency or exploit broker?
— Catalin Cimpanu (@campuscodi) July 5, 2021
How did REvil learn of the VSA exploit?
Did they have access to Kaseya’s vulnerability disclosure systems?
Where they provided the exploit by a 3rd-party?
Was that 3rd-party an RU intelligence agency or exploit broker?
Firstly, how did Revel learn about the VSA exploit? This zero day vulnerability was in the process of being patched. The coordinated vulnerability disclosure process was being shepherded by Wietse Boonstra, the research at the Dutch Institute for Vulnerability Disclosure who discovered it. So how did it come to be used by a ransomware gang?
There are a lot of interesting possibilities, but given how little we know it’s all pure speculation. Here are some of mine: it could be anything from a duplicate discovery, or a compromised researcher, or using already existing access to Kaseya to read the vulnerability reports.
Catalin wants to know whether REvil got the exploit from a third-party. I would like to know as well. Obviously, it’s an open question that cannot be answered immediately. We simply don’t have enough information at this point. It is not clear if we ever will know.
Catalin goes further though, raising the question of whether REvil were given the exploit by a third-party that happens to be a Russian intelligence agency, or whether it was sold by an exploit broker. At a guess, I don’t believe it was either. Outside of the existing Russian exploit marketplaces there are no brokers who, I believe, would do business with REvil. You might wonder how a broker would know they were doing business with REvil? Well, for a start I don’t think anyone legitimate would sell to Russia simply because the most likely clients are the government or cyber criminals. Neither of those is acceptable. A broker who wishes to do business in the West (where the most money is) has to keep clear of “directly aiding the opposition.” If they don’t remain sufficiently clean, Western clients will cease doing business with them. Selling anything to Russia would be sufficiently dirty that the broker would be untouchable by Western clients. Effectively, they’d be out of business.
Therefore, at a minimum I don’t believe that there are a lot of brokers who actively work with Russians or Ukrainians Belarusians etc. if the exploit was purchased — which is entirely possible — I suspect it was sourced from a Russian exploit seller representing a Russian exploit developer.
Similarly I don’t believe an intelligence agency provided the exploits to the ransomware gang. There is no mechanism, that I am aware of, which allows the intelligence agencies to task and supply a criminal gang for a commercial criminal enterprise. If this happened it would be a side project not an official state sanctioned operation. If it was a side project, then it has gotten way out of hand and there will likely be repercussions. Intelligence agencies don’t like their exploits burned by criminals. It would also be a massive departure from normal behavior for Russia to do this operation.
Was the timing of the attack on the July 4 weekend a decision made for political reasons or was it REvil’s typical modus operandi to hit over big western holiday breaks (which they have done many times before)?
Let’s look at the timing. The attack started on Friday July 2nd, more commonly known as “the Fourth of July weekend.” A significant number of victims are in countries that don’t have a holiday on the 4th of July. To me it seems unlikely that the Fourth of July was a primary motivator for the attack. I have a hard time seeing this attack being a political statement or similar. The Fourth of July is more likely to be a convenient date than the focus of the attack.
If we look at the timing further we see for example that the VSA exploit was being patched. That means there’s a time limit, a deadline looming for the attackers. This is more likely to be the driver for a particular timeframe than political motivation for a symbolic attack. As Catalina himself points out, the modus operandi of REvil is to conduct attacks on big Western holiday weekends.
Why are they asking a payment for an universal decrypter?
Did they realize that negotiating ransoms with thousands of companies at the same time is not worth the effort?
The next issue that he raises is an interesting one about why they are negotiating for a universal decryptor rather than individually with each victim. Clearly one wholesale ransom is less profitable than retail ransoms with each individual victim. However the scale of the attack is prohibitive to doing individual retail level negotiations in a timely fashion.
There is simply no way to scale up 1000 victims with REvil’s existing victim management process. Their portfolio management infrastructure is simply insufficient to handle this sort of load. We can say this because no one has developed good portfolio management software and no one has successfully managed 1000 victims in one week.
Bear in mind that this attack will have been conducted by the core REvil team, a finite number of people. Alternatively, it was the work of an affiliate, which is an even smaller finite number of people. With only a small number of principals involved they would have to bring in temps to manually manage all the victims that they need to process.
“Hello, this is Alexei, how may I assist you today? Paying ransom or asking more time? Please confirm 24 digit identification number, I am looking account.”
From a purely economic point of view it is far simpler to make one single retail sale and collect a nice big payment and call it a day. Practically, it’s unlikely that they can effectively manage half of the victims they currently have. Even if they did retail level victim processing they would still have another problem: too much money in a dangerous part of the world.
REvil are definitely paying protection money to a “roof” who allows them to operate safely. This protection money becomes insufficient when REvil has $500 million US dollars on hand. Their roof could easily decide that it is simply easier to take all the money and terminate the relationship. This is an inherent problem with paying for protection.
Will that universal decrytper even work, or are companies going to encounter bugs with large files?
He has some follow-up questions regarding whether the encryptor will work. Although it may fail to work for technical reasons I don’t believe REvil would renege on their agreement. Ransomware is, to some degree, a trust-based business. Without trust that the criminal gang will honor their side of the deal there is no point in paying them.
Why would REvil pull such a brash attack right after the Colonial and JBS attacks and the political mess/fallouts from those incidents?
Now we turn to the political environment in which this attack takes place. Why would “REvil do something like this after the political fallout from the Colonial and JBS attacks?” This begs the question: was there political fallout felt by the ransomware gangs? Was there blowback inside Russia for Colonial and JBS? I don’t believe there was. My point is that financially motivated attackers are motivated by money. They will try to make money. There is no reason for them to cease operating just because someone on the other side of the world is upset. That is literally the core of their business. Unless they directly feel pain then they will continue to try to make money.
Wouldn’t this attack confirm that REvil had some sort of approval from a RU agency before doing something this destructive?
Although it appears that there is overt official sanction for ransomware gangs to operate, that is not the case. Rather the protection money that they pay to local security forces effectively ensures that they are safe from local prosecution. This creates a de facto situation where ransomware gangs are operating with a license. This license is closer to a letter of marque and privateering than anything proposed by Western pundits. This, though, is a discussion for another post.