Skip to main content

Kaseya ransomware attack was apparently coded to avoid Russia

ransomware avast
(Image credit: Avast)

Cybersecurity researchers have discovered that the malware that delivered the REvil ransomware on thousands of computers managed by Kaseya VSA, was designed to avoid infecting computers in countries which are the principal members of the Commonwealth of Independent States (CIS). 

Initially suspected to be a supply chain attack, the campaign in fact exploited a zero-day vulnerability in Kaseya's VSA software to compromise several managed service providers (MSP) and deliver ransomware to their downstream customers.

In their analysis of the malware security researchers at Trustwave note the ransomware avoids systems in countries of the former USSR region.

TechRadar needs you!

We're looking at how our readers use VPNs with streaming sites like Netflix so we can improve our content and offer better advice. This survey won't take more than 60 seconds of your time, and you can also choose to enter the prize draw to win a $100 Amazon voucher or one of five 1-year ExpressVPN subscriptions.

>> Click here to start the survey in a new window <<

Security experts have previously suggested that installing a Cyrillic keyboard might be enough to convince a malware that you are Russian and off limits.

Unpatched zero-day

In response to the attack, Kaseya pulled the plug on VSA’s software-as-a-service offering, and asked all of its customers to take their on-premise VSA servers offline as well. 

Reporting on the developers, The Register notes that one of the exploited vulnerabilities in VSA was initially reported to Kaseya back in April, 2021. It was part of seven VSA bugs that were unearthed by Dutch Institute for Vulnerability Disclosure (DIVD) and reported privately to Kaseya. 

Patches for four of these were released in April and May, while the remaining three were scheduled for delivery in an upcoming release. 

But before one of those unpatched bugs, tracked as CVE-2021-30116, could be fixed it was exploited by REvil to deploy ransomware on computers around the world, except of course Russia, and the other CIS countries.

ZDNet reports that the White House has warned Russia to take action against the threat actors, or else the US might have to take matters in its own hands. 

"As the President made clear to President Putin when they met, if the Russian government cannot or will not take action against criminal actors residing in Russia, we will take action or reserve the right to take action on our own," said White House press secretary Jen Psaki.

Mayank Sharma

With almost two decades of writing and reporting on Linux, Mayank Sharma would like everyone to think he’s TechRadar Pro’s expert on the topic. Of course, he’s just as interested in other computing topics, particularly cybersecurity, cloud, containers, and coding.