The Unfixed Flaw at the Heart of REvil’s Ransomware Spree

on April 1, researchers from the Dutch Institute for Vulnerability Disclosure identified the first of what they quickly found to be seven vulnerabilities—all easy to spot, some potentially catastrophic—in an IT management system known as the Virtual System Administrator. By April 6, they had found 2,200 vulnerable systems and disclosed their findings to Kaseya, the company behind VSA. Kaseya patched four of the seven in the ensuing days and weeks, but three remained. What happened next was one of the most significant ransomware attacks in history.

On July 2, just days before the 90-day disclosure deadline the DIVD had given Kaseya, hackers associated with the ransomware gang REvil exploited one of three remaining VSA vulnerabilities along with an additional flaw, ultimately spreading malware to as many as 1,500 businesses and organizations around the world. Kaseya hadn’t neglected those remaining bugs entirely. It had continued to work with the Dutch researchers to fix them—just not fast enough to prevent the worst. 

“I really believe they were making their best effort,” says Victor Gevers, head of the DIVD. “They were posting job listings, hiring new security specialists, hiring outside security companies, doing source code review, checking their perimeters, really working on their security posture. But it was a lot at once.”

A Kaseya spokesperson declined to comment for this story, citing the company’s ongoing investigation into the incident. Since July 2, though, the company has repeatedly said that the remaining patches are being prepared for release. Nearly a week after the initial attack, though, those fixes haven’t materialized.

That doesn’t mean Kaseya has been idle in response to the attack. The company quickly shut down its cloud offerings as a precaution and began urgently encouraging customers who run “on-premises” VSA servers to do the same to limit the fallout. The number of exposed VSA servers publicly accessible online dropped to roughly 1,500 on July 2, fewer than 140 as of July 4, and 60 as of today

But while fewer vulnerable systems certainly keeps the scale of the attack from increasing, it doesn’t help victims whose systems remain locked up.

“Kaseya had opportunities for years to comprehensively address low-hanging-fruit vulnerabilities like the one that allowed REvil to savage its customers,” says Katie Moussouris, founder of Luta Security and a longtime vulnerability disclosure researcher. 

Vulnerability disclosure programs and bug bounties like those offered by Kaseya are a valuable tool, says Moussouris, for companies looking to strengthen their digital security. But these programs alone can’t offer adequate defense if the company doesn’t also invest in its internal security and staffing.

“We can’t fight ransomware one disclosure at a time,” says Moussouris.

Many companies are much less responsive and collaborative on patching vulnerabilities than Kaseya was. But the managed service providers who use Kaseya’s software are known, valuable targets of ransomware attacks; Kaseya itself tried to raise awareness about the issue in 2019. The longer Kaseya took to patch, especially given how easy the vulnerabilities were to discover, the more likely it was that someone else might find them.

The consequences of Kaseya’s lapse are still playing out. REvil claims to have encrypted more than a million systems as part of the attack, but the hackers seem to be having a difficult time actually coaxing payments from victims. The group requested tailored ransoms in the tens of thousands of dollars from many targets but also said it would call off the whole attack for $70 million. Then it lowered the blanket ransom demand to $50 million. The group’s negotiation portal has also suffered outages.