Cyberthreat update from Acronis CPOCs: Week of July 5, 2021

Here at Acronis, we’re always monitoring for dangers to your data, deploying updates to handle newly-discovered vulnerabilities, and issuing alerts and recommendations to help you stay protected. Our global network of Acronis Cyber Protection Operations Centers (CPOCs) continue to work around the clock to proactively detect and defend against the latest cyberthreats.

Part of this work includes video updates to inform you of modern hazards in the digital landscape — such as supply chain attacks impacting hundreds of businesses and shifts in ransomware gangs’ strategies. Here’s a look at some of the most recent breaking news and analyses:

REvil ransoms hundreds of companies at once

The REvil extortion gang appears to have found success in a supply chain attack on Kaseya VSA servers. The attack has already ransomed hundreds of companies, and it’s estimated that as many as 1,000 SMBs may be affected.

Kaseya has shut down all cloud-based VSA servers, and has advised users of on-premise VSA servers to shut them down immediately. This is because the first step that the attackers take is to shut off administrator access to impacted servers.

The fact that the ransomware was embedded in Kaseya VSA has helped it to spread to a large number of targets quickly, in the same way that the attack on SolarWinds allowed attackers to quickly strike at least 100 companies. The attack on Kaseya is already showing evidence of a larger scale, possibly leading to a much greater impact.

The Active Protection included in Acronis Cyber Protect detects REvil ransomware and blocks it before your data is compromised, while the multi-layered detection engines identify and block the dropper and other malware associated with this attack.

Swedish grocer closes 500 locations after cyberattack

Coop Sweden, one of Sweden’s largest grocery chains, has been forced to close around 500 of their 800 stores after the REvil attack on Kaseya VSA servers caused many of the chain’s point-of-sale systems and self-service checkouts to stop working.

While Coop did not directly use Kaseya VSA, the service was used by one of their software providers. This led to the infection of Coop systems before they could recognize that there was a widespread problem and shut down systems preventatively.

The REvil attack is now known to have utilized a zero-day vulnerability in the Kaseya VSA software to inject ransomware into nearly 1,500 customers of around 30 MSPs. The REvil gang has set the ransom demand at $70 million, claiming that they’ll release a decryptor that will allow all victims to recover their data if this payment is met.

REvil and other forms of ransomware are no match for Acronis Cyber Protect. Its Active Protection technology detects the malicious behaviors that ransomware relies on, and put a stop to harmful activity before your data and systems are impacted.

TrickBot goes back to its roots

TrickBot appears to be going back to its roots with man-in-the-browser attacks — along with possibly delivering new types of ransomware.

The U.S. Department of Justice ascertains TrickBot has infected and stolen credentials from millions of victims worldwide. The addition of new webinject modules and malware variants could signal that the team behind TrickBot is looking to expand their malware-as-a-service platform, making it more diverse with custom injects and ransomware.

Cybercriminals often update and change their tools to be more effective — and to evade traditional signature-based detection. Acronis Cyber Protect uses machine intelligence to identify and block malicious behaviors, stopping both old and new cyberthreats in their tracks.

Ransomware zombie: Ransomware creation made easy

The Babuk Locker ransomware gang apparently “retired” from the double extortion game in April, and switched to a different extortion model under a new name. However, their custom ransomware builder is actively being used again, possibly by a new cybercriminal group.

The submission of new ransomware bearing the marks of Babuk’s builder has shot up in the last week. Ransoms demanded in these attacks no longer ask for millions of dollars; rather, they’ve been asking for 0.006 Bitcoin, which at the time of writing is worth roughly $210. It’s not yet clear whether we’re seeing a new threat actor or the same old Babuk — the newest ransom notes identify the responsible party as "Babuck Locker" with an added “c.”

Whether this activity is from Babuk or a new group entirely, the need to detect and stop cyberattacks before they steal your data remains imperative. Acronis Cyber Protect's Active Protection recognizes and blocks all types of ransomware.

Cybercriminals don’t have slow news days

Cybercriminals often use current events as lures in their attacks, hoping to entice victims into opening a malicious link or attachment out of curiosity or concern. After the notable supply chain attack last weekend — in which the REvil extortion gang distributed their ransomware through Kaseya VSA servers — we’re now seeing that story used as a lure.

Malicious emails claiming to offer the patch for the vulnerability that REvil used have been circulating. These messages contain a fake update file named “securityUpdate.exe” and a link to the same payload hosted on a server.

The attackers are using risky tactics here, as attachments with the .exe extension are often filtered out by email security rules. If these messages do break through, they can initiate serious harm with their payload — a Cobalt Strike backdoor.

Cybercriminals aren’t likely to give up on the tried-and-true tactic of using big news stories as a lure, as these often get victims to let their guard down. Fortunately, Acronis’ Advanced Email Security features block malicious emails like the ones used in this attack before users can be tempted to open them.

# # #

For the latest reports on emerging cyberthreats from Acronis’ cyber protection experts, subscribe to the Acronis YouTube channel and receive our CPOC updates as they’re posted.