The U.S. was hit with another staggering ransomware attack over the weekend.  

Kaseya, a widely used IT solutions company, was the victim of a large-scale supply chain attack. Kaseya announced on Monday that all its VSA SaaS servers will remain in maintenance mode.  

Expel, a managed detection and response firm, states the following in a blog post: 

“After notifying our customers of the situation, Expel deployed ‘be on the lookout”‘ detections – where customers are immediately notified of a detection – for the two known malicious hashes, and for the known file paths the attackers have been reportedly using. Expel has also begun pushing out more generalized logic rules to catch variants of these attack vectors.” 

The technical details are as follows:

REvil ransomware encryptor is dropped at c:\kworking\agent.exe

Further files are dropped in c:\windows:

• MsMpEng.exe (legitimate Microsoft Defender copy)

• mpsvc.dll (Malicious REvil DLL)

• The malicious mpsvc.dll is side-loaded into the legitimate Microsoft Defender copy (MsMpEng.exe) 

Here’s what companies should do to protect themselves, according to the authors (Evan Reichard, Matthew Berninger, Ray Pugh, Ben Brigida and Jon Hencinski):

• Shutdown VSA server
• Disable / Uninstall Agent
• Block all known malicious hashes:
  • d55f983c994caa160ec63a59f6b4250fe67fb3e8c43a388aec60a4a6978e9f1e (agent.exe)
  • 8dd620d9aeb35960bb766458c8890ede987c33d239cf730f93fe49d90ae759dd (mpsvc.dll)
  • e2a24ab94f865caeacdf2c3ad015f31f23008ac6db8312c2cbfb32e4a5466ea2 (mpsvc.dll)

Finally, incorporate these learnings into your detection strategy, the post concludes.