Notorious hacking group REvil has once again caused quite a stir among cybersecurity community with its latest supply chain ransomware attack involving the remote management software vendor Kaseya that triggered an infection chain compromising hundreds of companies and organizations using Kaseya VSA software.

The incident took place on Friday, July 2. In an initial message on its website Kaseya said it was "experiencing a potential attack against the VSA," its remote monitoring and management tool. The company shut down its SaaS servers as a precautionary measure, and recommended that VSA customers immediately shut down servers until further notice.

At the time, the company said that the attack affected 40 customers worldwide. However, researchers said that some of these 40 are managed service providers (MSPs) who in turn serve hundreds of small businesses, which increases the number of affected companies upwards of 1,000.

The Revil ransomware gang has confirmed on its dark web leak site it has launched an attack against MSP providers and demanded a record $70 million ransom payment for a universal decryptor that can unlock all systems that have been encrypted by the ransomware.

“On Friday (02.07.2021) we launched an attack on MSP providers. More than a million systems were infected. If anyone wants to negotiate about universal decryptor – our price is 70,000,000$ in BTC and we will publish publicly decryptor that decrypts files of all victims, so everyone will be able to recover from attack in less than an hour," the gang said.

Initially, it was thought that the hackers gained access to Kaseya’s backend infrastructure and used it to deploy a malicious update installing the REvil ransomware to VSA servers running on client premises.

However, according to DIVD (Dutch Institute for Vulnerability Disclosure), the attackers abused a zero-day flaw (CVE-2021-30116) in the Kaseya VSA servers discovered by one its researchers and reported to Kaseya several weeks ago.

“Wietse Boonstra, a DIVD researcher, has previously identified a number of the zero-day vulnerabilities [CVE-2021-30116] which are currently being used in the ransomware attacks. And yes, we have reported these vulnerabilities to Kaseya under responsible disclosure guidelines (aka coordinated vulnerability disclosure),” DIVD Chair Victor Gevers said.

According to Gevers, who refused to disclose the details on the vulnerability, Kaseya was working on addressing the issue when the ransomware attack took place.

In an update published on Sunday, Kaseya said it identified the vulnerability that was used in the attacks and is now preparing mitigations. The company has released a tool called the “Compromise Detection Tool” that helps owners of on-premises VSA server identify if their server has been compromised during Friday’s attacks.

Over the weekend cybersecurity firm ESET detected an increase in REvil infections across the globe that the researchers linked to the Kaseya incident. According to ESET’s telemetry, victims are located in the UK, South Africa, Germany, the USA, Colombia, Kenya, Argentina, Mexico, the Netherlands, Indonesia, Japan, New Zeland and Turkey.