Cybersecurity (opens in new tab) researchers have discovered that the malware (opens in new tab) that delivered the REvil ransomware on thousands of computers (opens in new tab) managed by Kaseya VSA, was designed to avoid infecting computers in countries which are the principal members of the Commonwealth of Independent States (CIS).
Initially suspected to be a supply chain attack, the campaign in fact exploited a zero-day vulnerability in Kaseya's VSA software to compromise several managed service providers (MSP) and deliver ransomware (opens in new tab) to their downstream customers.
In their analysis of the malware security researchers at Trustwave note (opens in new tab) the ransomware avoids systems in countries of the former USSR region.
- These are the best ransomware protection tools (opens in new tab)
- Protect your devices with these best antivirus software (opens in new tab)
- Here's our choice of the best malware removal software on the market
Security experts have previously suggested (opens in new tab) that installing a Cyrillic keyboard might be enough to convince a malware that you are Russian and off limits.
Unpatched zero-day
In response to the attack, Kaseya pulled the plug on VSA’s software-as-a-service offering, and asked all of its customers to take their on-premise VSA servers offline as well.
Reporting on the developers, The Register notes (opens in new tab) that one of the exploited vulnerabilities in VSA was initially reported to Kaseya back in April, 2021. It was part of seven VSA bugs that were unearthed by Dutch Institute for Vulnerability Disclosure (DIVD) and reported privately to Kaseya.
Patches for four of these were released in April and May, while the remaining three were scheduled for delivery in an upcoming release.
But before one of those unpatched bugs, tracked as CVE-2021-30116, could be fixed it was exploited by REvil to deploy ransomware on computers around the world, except of course Russia, and the other CIS countries.
ZDNet reports (opens in new tab) that the White House has warned Russia to take action against the threat actors, or else the US might have to take matters in its own hands.
"As the President made clear to President Putin when they met, if the Russian government cannot or will not take action against criminal actors residing in Russia, we will take action or reserve the right to take action on our own," said White House press secretary Jen Psaki.
- These are the best data loss prevention services (opens in new tab)