Sign In with your
Trend Micro Account
Need Help?
Need More Help?

Create a technical support case if you need further support.

Available solutions for REvil/Sodinokibi Ransomware - Kaseya Zero Day Attack

    • Updated:
    • 14 Jul 2021
    • Product/Version:
    • Interscan Web Security Virtual Appliance 6.5
    • Portable Security 3.0
    • TXOne - StellarEnforce 1.0
    • TXOne - StellarProtect 1.0
    • Platform:
Summary

Kaseya, a company that provides IT management software to managed service providers (MSPs) and IT companies, has been hit with a REvil (aka Sodinokibi) ransomware attack at the dawn of the Fourth of July weekend, as reported in the company’s own announcement.

The company describes it as a “sophisticated cyberattack” that was geared toward its on-premises VSA product. The company advised all its customers to shut down their on-premises VSA servers until further notice.

Kaseya has decided to also immediately shut down its software-as-a-service (SaaS) servers as a conservative security measure while investigations are ongoing.

The VSA software, which is typically used to distribute software updates to customers, was weaponized to push a malicious PowerShell script, which then loaded the REvil ransomware payload onto customer systems. It’s also important to note that non-Kaseya customers could also be affected via their service providers.

Infection Routine

Module state

Details
Public

File Reputation

DETECTION/POLICY/RULESPATTERN BRANCH/VERSIONRELEASE DATE
Trojan.Win32.SODINSTALL.YABGC16.817.0007-03-2021
Ransom.Win32.SODINOKIBI.YABGC16.817.0007-03-2021
Ransom.Win32.SODINOKIBI.SMSTA16.825.0007-07-2021
Ransom.Win32.SODINOKIB.ZTID16.655.0004-13-2021

Predictive Machine Learning

DETECTIONPATTERN BRANCH/VERSION
Troj.Win32.TRX.XXPE50FFF046In-the-cloud
Ransom.Win32.TRX.XXPE50FFF046E0002In-the-cloud

Behavior Monitoring

PATTERN BRANCH/VERSIONRELEASE DATE
RAN5127T01-20-2021
RAN5227S07-04-2021

Web Reputation

URLCATEGORYBLOCKING DATE
hxxp[:]//aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd[.]onion/Malware Accomplice, Ransomware07-03-2021
1team[.]esMalware Accomplice07-04-2021
4net[.]guru
35-40konkatsu[.]net
123vrachi[.]ru
4youbeautysalon[.]com
12starhd[.]online
101gowrie[.]com
8449nohate[.]org
1kbk[.]com[.]ua
365questions[.]org
321play[.]com[.]hk
andersongilmour[.]co[.]uk
facettenreich27[.]de
blgr[.]be
fannmedias[.]com
southeasternacademyofprosthodontics[.]org
filmstreamingvfcomplet[.]be
smartypractice[.]com
pasvenska[.]se
cursosgratuitosnainternet[.]com
gonzalezfornes[.]es
blossombeyond50[.]com
kaotikkustomz[.]com
faroairporttransfers[.]net
bxdf[.]info
cerebralforce[.]net
myhostcloud[.]com
fotoscondron[.]com
sw1m[.]ru
homng[.]net

Sandbox Detection

DETECTIONPATTERN BRANCH/VERSION
VAN_MALWARE.UMXXIn-the-Cloud

Solution Map - What should customers do?

REvil-Sodinokibi RansomwareSolution Map

To update Trend Micro products, visit Online Help Center.

Recommendation

Make sure to always use the latest pattern available to detect the old and new variants of REvil/Sodinokibi Ransomware. Please refer to the KB article on Recommendations on how to best protect your network using Trend Micro products.

Make sure to implement the ransomware protection features and best practices. Please refer to the KB article on Ransomware: Solutions, Best Practice Configuration and Prevention using Trend Micro products.

You may also check the article on Submitting suspicious or undetected virus for file analysis to Technical Support.

For support assistance, please contact Trend Micro Technical Support.

Threat Report

Blogs

Premium
Internal
Partner
Rating:
Category:
Remove a Malware / Virus
Solution Id:
000286919
Feedback
Did this article help you?

Thank you for your feedback!


*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.

If you need additional help, you may try to contact the support team. Contact Support

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.