Analyzing the 2021 Kaseya Ransomware Attack: Combined Spearphishing Through SonicWall SSLVPN Vulnerability
In July 2021, the IT management software company Kaseya was the victim of a ransomware cyberattack. The perpetrator of this attack was ransomware evil (REvil), an allegedly Russian-based ransomware threat group. This paper addresses the general events of the incident and the actions executed by the...
Saved in:
| Main Authors: | , , , , |
|---|---|
| Format: | Article |
| Language: | English |
| Published: |
Wiley
2025-01-01
|
| Series: | IET Information Security |
| Online Access: | http://dx.doi.org/10.1049/ise2/1655307 |
| Tags: |
Add Tag
No Tags, Be the first to tag this record!
|
| _version_ | 1825199972855840768 |
|---|---|
| author | Suman Bhunia Matthew Blackert Henry Deal Andrew DePero Amar Patra |
| author_facet | Suman Bhunia Matthew Blackert Henry Deal Andrew DePero Amar Patra |
| author_sort | Suman Bhunia |
| collection | DOAJ |
| description | In July 2021, the IT management software company Kaseya was the victim of a ransomware cyberattack. The perpetrator of this attack was ransomware evil (REvil), an allegedly Russian-based ransomware threat group. This paper addresses the general events of the incident and the actions executed by the constituents involved. The attack was conducted through specially crafted hypertext transfer protocol (HTTP) requests to circumvent authentication and allow hackers to upload malicious payloads through Kaseya’s virtual system administrator (VSA). The attack led to the emergency shutdown of many VSA servers and a federal investigation. REvil has had a tremendous impact performing ransomware operations, including worsening international relations between Russia and world leaders and costing considerable infrastructure damage and millions of dollars in ransom payments. We present an overview of Kaseya’s defense strategy involving customer interaction, a PowerShell script to detect compromised clients, and a cure-all decryption key that unlocks all locked files. |
| format | Article |
| id | doaj-art-a5cf413ada93467dac90a038388ffed6 |
| institution | Kabale University |
| issn | 1751-8717 |
| language | English |
| publishDate | 2025-01-01 |
| publisher | Wiley |
| record_format | Article |
| series | IET Information Security |
| spelling | doaj-art-a5cf413ada93467dac90a038388ffed62025-02-08T00:00:03ZengWileyIET Information Security1751-87172025-01-01202510.1049/ise2/1655307Analyzing the 2021 Kaseya Ransomware Attack: Combined Spearphishing Through SonicWall SSLVPN VulnerabilitySuman Bhunia0Matthew Blackert1Henry Deal2Andrew DePero3Amar Patra4Department of Computer Science and Software EngineeringDepartment of Computer Science and Software EngineeringDepartment of Computer Science and Software EngineeringDepartment of Computer Science and Software EngineeringSchool of Computing and Information SciencesIn July 2021, the IT management software company Kaseya was the victim of a ransomware cyberattack. The perpetrator of this attack was ransomware evil (REvil), an allegedly Russian-based ransomware threat group. This paper addresses the general events of the incident and the actions executed by the constituents involved. The attack was conducted through specially crafted hypertext transfer protocol (HTTP) requests to circumvent authentication and allow hackers to upload malicious payloads through Kaseya’s virtual system administrator (VSA). The attack led to the emergency shutdown of many VSA servers and a federal investigation. REvil has had a tremendous impact performing ransomware operations, including worsening international relations between Russia and world leaders and costing considerable infrastructure damage and millions of dollars in ransom payments. We present an overview of Kaseya’s defense strategy involving customer interaction, a PowerShell script to detect compromised clients, and a cure-all decryption key that unlocks all locked files.http://dx.doi.org/10.1049/ise2/1655307 |
| spellingShingle | Suman Bhunia Matthew Blackert Henry Deal Andrew DePero Amar Patra Analyzing the 2021 Kaseya Ransomware Attack: Combined Spearphishing Through SonicWall SSLVPN Vulnerability IET Information Security |
| title | Analyzing the 2021 Kaseya Ransomware Attack: Combined Spearphishing Through SonicWall SSLVPN Vulnerability |
| title_full | Analyzing the 2021 Kaseya Ransomware Attack: Combined Spearphishing Through SonicWall SSLVPN Vulnerability |
| title_fullStr | Analyzing the 2021 Kaseya Ransomware Attack: Combined Spearphishing Through SonicWall SSLVPN Vulnerability |
| title_full_unstemmed | Analyzing the 2021 Kaseya Ransomware Attack: Combined Spearphishing Through SonicWall SSLVPN Vulnerability |
| title_short | Analyzing the 2021 Kaseya Ransomware Attack: Combined Spearphishing Through SonicWall SSLVPN Vulnerability |
| title_sort | analyzing the 2021 kaseya ransomware attack combined spearphishing through sonicwall sslvpn vulnerability |
| url | http://dx.doi.org/10.1049/ise2/1655307 |
| work_keys_str_mv | AT sumanbhunia analyzingthe2021kaseyaransomwareattackcombinedspearphishingthroughsonicwallsslvpnvulnerability AT matthewblackert analyzingthe2021kaseyaransomwareattackcombinedspearphishingthroughsonicwallsslvpnvulnerability AT henrydeal analyzingthe2021kaseyaransomwareattackcombinedspearphishingthroughsonicwallsslvpnvulnerability AT andrewdepero analyzingthe2021kaseyaransomwareattackcombinedspearphishingthroughsonicwallsslvpnvulnerability AT amarpatra analyzingthe2021kaseyaransomwareattackcombinedspearphishingthroughsonicwallsslvpnvulnerability |