Skip Navigation
Get a Demo
 
 
 
 
 
 
 
 
 
Resources Case Studies
Threat detection

Fighting back against REvil ransomware

Two Red Canary customers share their experiences following the 2021 Kaseya VSA ransomware attack.

On Friday, July 2, 2021—two days before fireworks emblazoned the night sky—REvil (aka Sodinokibi) created their own version of pyrotechnics by exploiting zero-day vulnerabilities in Kaseya’s IT management software.

Unfortunately, as the attack unfolded, many security teams were compelled to cancel their holiday plans in an effort to gather intelligence and assess their environments for damage.

Red Canary customers have a very different memory of that Independence Day weekend. Thanks in large part to our threat intelligence expertise and behavior-based detections, they were able to enjoy their celebrations with confidence, knowing we had caught the suspicious activity hours before the headlines broke.

Unitus Community Credit Union and a leading dental insurance provider were among those organizations who would have been impacted by the Kaseya supply chain attack but instead experienced zero business disruption.

Here’s a look at how Red Canary was able to get ahead of the threat activity before it turned into ransomware, allowing these customers to relax and unwind during the long holiday weekend.

Early detection and containment shield Unitus Community Credit Union from ransomware

Based in Portland, Oregon, Unitus Community Credit Union employs approximately 300 people and provides service to more than 100,000 members. Founded in 1937, this not-for-profit organization currently serves local communities throughout Oregon and Washington.

At the time of the Kaseya attack, Unitus was not a direct user of Kaseya software. However, one of their phone vendors was, and when that vendor got hit, it left a related server vulnerable and Unitus open to potential ransomware.

 
“We had an alert fired, and the Red Canary team reached out immediately and started calling the phone tree, emails, text alerts, the whole gamut… This was really early on… We were on the leading edge.”
SOC_1000x667

Recognizing the indicators of compromise (IoCs), Red Canary swiftly alerted Unitus to the detected threat. Due to its severity and potential impact, Red Canary Principal Threat Hunter Paul Michaud proactively reached out to Unitus and their Information Security Analyst, Harlan Hoult.

“Based on the similarity of the domains between two of our customers, we were able to quickly identify that Unitus’s third-party vendor was compromised via Kaseya. In time, as the news went public on Twitter and other outlets, we found out there was a large-scale attack against public-facing Kaseya appliances.”

—Paul Michaud, Principal Threat Hunter, Red Canary

Even before Kaseya formally acknowledged the incidents, Unitus had isolated the affected server and taken it offline in accordance with their security playbook automation. In time they would revert to a snapshot of the server, helping mitigate any fallout.

“From a vendor management standpoint, it’s important to understand the scope a vendor has access to—such as the specific endpoints they can log into, the accounts they leverage, the parts of the network they can reach, and the ingress and egress points for their connectivity—and conduct continuous monitoring and validation of that access.”

—Paul Michaud, Principal Threat Hunter, Red Canary

Understanding the scope that all third-party vendors have is paramount. In Unitus’s case, Hoult and his team knew exactly what the compromised vendor had access to, so they were able to promptly contain the threat. This effort and foresight resulted in essentially zero business impact from the Kaseya attack.

“Red Canary helped ensure that none of our members were ever at risk, our operations continued to run unaffected, and we were able to quickly isolate the compromised server.”

—Harlan Hoult, Information Security Analyst, Unitus Community Credit Union

Behavioral threat analytics keep a leading dental insurance provider out of the dark

A leading provider of dental insurance had two MDR partners at the time of the Kaseya attack. In addition to Red Canary MDR, they also used a legacy, SIEM-based MDR provider that enabled them to comply with industry regulations through the 24×7 monitoring and retention of all logs.

But while they had duplicative MDR providers, only Red Canary alerted them to the attack on that Fourth of July weekend, resulting in little to no business impact.

Red Canary observed and detected a slew of suspicious behaviors and alerted on that activity right away, empowering the dental insurance provider to understand the full story on Kaseya and mitigate the threat before any ransomware was detonated or endpoints encrypted.

 
“Red Canary focuses on behavioral analytics, which are essential in the modern landscape, not just IOCs or alerts. If it hadn't been for Red Canary, we would have been blind to [the Kaseya] attack and so would the other security partners.”
kaseya_supportingimg_900x900

If not for Red Canary, this leading dental insurance provider would have been blind to the attack. Other security providers, such as their legacy MDR, generally look at events and attempt to correlate them. On the contrary, they explained, “Red Canary focuses on behavioral analytics, which are essential in the modern landscape, not just IOCs or alerts.”

To date, every incident alert they’ve received—and every detection that has turned into an actual incident—has come from Red Canary, not their legacy MDR provider. Consequently, they are hoping to drop their legacy MDR provider altogether and use Red Canary exclusively.

Peace of mind for whatever comes next

Adversaries can strike at any moment. By enabling early detection through ongoing threat research and broad behavior-based detections, Red Canary helps companies respond aggressively and effectively to minimize impact. Furthermore, when we do detect a threat to one of our customers, we immediately hunt for it across all customer environments—and we communicate critical details along the way, keeping everyone on the same page.

In regards to Kaseya, research into supply chain attacks earlier in the year informed Red Canary’s detections, meaning customers, including Unitus Community Credit Union and a leading dental insurance provider, learned about the attack before it even went public. In the end, both walked away virtually unscathed and free to unwind on a well-deserved three-day weekend.

“We would have been blind” to the zero-day attacks…

Instead, Red Canary customers enjoyed a long holiday weekend and zero business disruptions.

Learn how a combination of threat research, behavioral analytics, and communication worked in harmony to prevent REvil ransomware.

  • View a detailed timeline of events
  • Read firsthand accounts
  • Validate the role of behavior-based detections and incident preparedness
Discover the story

“We would have been blind” to the zero-day attacks…

Instead, Red Canary customers enjoyed a long holiday weekend and zero business disruptions.

Learn how a combination of threat research, behavioral analytics, and communication worked in harmony to prevent REvil ransomware.

  • View a detailed timeline of events
  • Read firsthand accounts
  • Validate the role of behavior-based detections and incident preparedness
Discover the story
 
 
Back to Top