This article describes the pre-auth remote code execution in Kaseya VSA Server that was exploited in the recent Revil ransomware campaign. This article clarifies some misconceptions and adds important details to the conversation.

Truesec has now been able to conclusively prove that the massive ransomware attack by the REvil cybercrime syndicate was the result of a pre-authentication remote code execution zero-day.

Part 1 – The Ransomware Attack Truesec has documented how Russian ransomware gangs profit from being left alone by Russian law enforcement, but connections seem to go even deeper. Initial Attack and Takeover In October 2020, the Russian-based threat actor known as “Evil Corp” conducted a ransomware attack against a major corporation. The attack vector […]

This is an analysis of part of the network of Russian organized crime hacking groups.

Over the last few years, the battle against Ransomware has resulted in many companies and organizations investing in their backup solutions to restore their environment if it gets encrypted Unfortunately, that’s no longer enough. The threat actors modus operandi has adapted and changed to those protections, and they now also using blackmail to get more money with ransom notes exceeding USD 50M. The ransom note […]