Kaseya attack was coded to avoid Russian computer systems, Kaseya delays SaaS restore

Hackers don't want to annoy the local authorities

The ransomware used in last week's attack against software firm Kaseya used code designed to avoid computer systems whose default languages came from the former USSR region.

The finding is from cybersecurity firm Trustwave SpiderLabs. The languages the ransomware is set to avoid include Russian, Armenian, Azerbaijani, Ukrainian, Belarusian, Tajik, Georgian, Kazakh, Kyrgyz, Romanian, Russian Moldova, Turkmen, Uzbek, Tatar, Syriac and Syriac Arabic.

NBC News, which first covered Trustwave's analysis, said the revelation underscores the freedoms ransomware gangs enjoy inside Russia and other former Soviet states. These groups are largely free to target organisations in the West, as long as they don't turn their attention closer to home.

"They don't want to annoy the local authorities, and they know they will be able to run their business much longer if they do it this way," Ziv Mador, Trustwave SpiderLabs' vice president of security research, told NBC News.

In May, cyber security expert Brian Krebs revealed that another Russia-based ransomware group, DarkSide, which attacked Colonial Pipeline in May, used a 'do-not-install' list of countries in its code - again, to spare organisations in Russia, as well as former Soviet satellite states that have cordial relations with the Kremlin.

Kaseya puts trust in slow and steady approach to restoration

Kaseya had intended to restore its SaaS services to operation on Tuesday, but has now delayed that to Sunday the 11th at 9pm BST.

In a video message posted to the company's page on the issue, CEO Fred Voccola said it was his decision to delay, calling it, "the hardest decision of my career."

"We had all the vulnerabilities managed and felt comfortable with the release, but third-party engineers made suggestions to add extra layers of protection to guard against things we could not foresee."

Voccola stressed that the delay in restoration would make VSA a more secure product once it is back up and running.

He also described a programme of cash assistance for affected customers, and said that licence payments will be deferred.

Wider responses

Although the US government has not yet definitively attributed the Kaseya attack to any specific group, Russian-speaking group REvil claimed responsibility earlier this week.

The group - probably REvil - launched its attack on 2^nd July. It targeted about 50 managed services providers (MSPs) by exploiting a zero-day vulnerability (CVE-2021-30116) in Kasyea's VSA tool.

A researcher for the Dutch Institute for Vulnerability Disclosure (DIVD) had already reported the flaw to Kaseya, but the hackers struck while the company was in the process of writing a patch.

REvil has been extremely active in the last year. In 2020 it began offering stolen data for sale on an auction site; and just last month was able to extort $11 million from meat-packing giant JBS.

The Kaseya attack came less than a month after a summit between President Biden and Russian President Vladimir Putin in Geneva, in which both leaders discussed the issue of cybersecurity in detail.

In the meeting, Biden asked Putin to stop giving safe haven to ransomware groups launching attacks on American enterprises.

On Wednesday, White House press secretary Jen Psaki said that President Biden was considering all options for how to respond to the latest attack.

"In terms of operational considerations, obviously it is not in our interest to preview those or preview our punches, as I like to say. The president has a range of options, should he determine to take action," Psaki said.