Kaseya ransomware attack was apparently coded to avoid Russia

News
By
published

But will Russia act against the cyber perps?

ransomware avast
(Image credit: Avast)

Cybersecurity researchers have discovered that the malware that delivered the REvil ransomware on thousands of computers managed by Kaseya VSA, was designed to avoid infecting computers in countries which are the principal members of the Commonwealth of Independent States (CIS). 

Initially suspected to be a supply chain attack, the campaign in fact exploited a zero-day vulnerability in Kaseya's VSA software to compromise several managed service providers (MSP) and deliver ransomware to their downstream customers.

In their analysis of the malware security researchers at Trustwave note the ransomware avoids systems in countries of the former USSR region.

TechRadar needs you!

We're looking at how our readers use VPNs with streaming sites like Netflix so we can improve our content and offer better advice. This survey won't take more than 60 seconds of your time, and you can also choose to enter the prize draw to win a $100 Amazon voucher or one of five 1-year ExpressVPN subscriptions.

>> Click here to start the survey in a new window <<

Security experts have previously suggested that installing a Cyrillic keyboard might be enough to convince a malware that you are Russian and off limits.

Unpatched zero-day

In response to the attack, Kaseya pulled the plug on VSA’s software-as-a-service offering, and asked all of its customers to take their on-premise VSA servers offline as well. 

Reporting on the developers, The Register notes that one of the exploited vulnerabilities in VSA was initially reported to Kaseya back in April, 2021. It was part of seven VSA bugs that were unearthed by Dutch Institute for Vulnerability Disclosure (DIVD) and reported privately to Kaseya. 

Patches for four of these were released in April and May, while the remaining three were scheduled for delivery in an upcoming release. 

But before one of those unpatched bugs, tracked as CVE-2021-30116, could be fixed it was exploited by REvil to deploy ransomware on computers around the world, except of course Russia, and the other CIS countries.

ZDNet reports that the White House has warned Russia to take action against the threat actors, or else the US might have to take matters in its own hands. 

"As the President made clear to President Putin when they met, if the Russian government cannot or will not take action against criminal actors residing in Russia, we will take action or reserve the right to take action on our own," said White House press secretary Jen Psaki.

TOPICS
Mayank Sharma
Mayank Sharma

With almost two decades of writing and reporting on Linux, Mayank Sharma would like everyone to think he’s TechRadar Pro’s expert on the topic. Of course, he’s just as interested in other computing topics, particularly cybersecurity, cloud, containers, and coding.

Read more
Russia
Major Russian hacking group shifts focus to US and UK targets
US President Donald Trump speaks to the press as he signs an executive order to create a US sovereign wealth fund, in the Oval Office of the White House on February 3, 2025, in Washington, DC.
US set to pause cyber-offensive operations against Russia - but CISA says it won't stop
Russian flag on a laptop
Major Russian IT service provider hit with cyberattack
A group of 7 hackers, 6 slightly blurred in the background and one in the foreground, all wearing black with hoods pulled up over their heads. You cannot see their faces. The hacker in the foreground sits with an open laptop in front of them. The background, behind the hackers, is a Chinese flag
China government-linked hackers caught running a seriously dangerous ransomware scam
Cyber warfare
Microsoft says Russia is hacking Ukrainian military tech by stealing points of entry from third-parties
ransomware avast
“Every organization is vulnerable” - ransomware dominates security threats in 2024, so how can your business stay safe?
Latest in Security
healthcare
Software bug meant NHS information was potentially “vulnerable to hackers”
A hacker wearing a hoodie sitting at a computer, his face hidden.
Experts warn this critical PHP vulnerability could be set to become a global problem
botnet
YouTubers targeted by blackmail campaign to promote malware on their channels
A close-up of a phone screen showing the Telegram, Signal and WhatsApp apps
Agentic AI has “profound” issues with security and privacy, Signal President says
botnet
Another top security camera maker is seeing devices hijacked into botnet
Bluetooth
Top Bluetooth chip security flaw could put a billion devices at risk worldwide
Latest in News
Homepage of Manus, a new Chinese artificial intelligence agent capable of handling complex, real-world tasks, is seen on the screen of an iPhone.
Manus AI may be the new DeepSeek, but initial users report problems
Google Maps
Nightmare Google Maps glitch is deleting timelines, and there isn't a fix yet
Twitter social media application change logo to X. Elon Musk CEO of twitter rebranded Twitter to &#039;X&#039;. Social media application technology concept.
X is down again – Elon Musk confirms 'massive cyberattack' as former Twitter site hit by fourth outage today
Joe Goldberg and Kate Lockwood sitting at a table and looking at the camera in You season 5.
Netflix releases a killer new trailer for You season 5 but my favorite character is missing from Joe's final chapter
A laptop on a desk with the Windows 11 background on its screen.
Microsoft is adding image editing and compression to its Windows Share feature - and I couldn't be happier
A screen shot from a promotional video showing the HealthBuds fitness tracking earphones from Synseer
These mysterious wireless earbuds claim to monitor your heart and hearing health simultaneously, but there’s a catch
More about security
botnet

YouTubers targeted by blackmail campaign to promote malware on their channels
A hacker wearing a hoodie sitting at a computer, his face hidden.

Experts warn this critical PHP vulnerability could be set to become a global problem
Glowing server racks inside a data center.

The dirty little secret about AI hardware that you should know about: server vendors have to wrestle with wafer thin margins and bigger customers
See more latest
Most Popular
Glowing server racks inside a data center.
The dirty little secret about AI hardware that you should know about: server vendors have to wrestle with wafer thin margins and bigger customers
Joe Goldberg and Kate Lockwood sitting at a table and looking at the camera in You season 5.
Netflix releases a killer new trailer for You season 5 but my favorite character is missing from Joe's final chapter
Google Maps
Nightmare Google Maps glitch is deleting timelines, and there isn't a fix yet
botnet
YouTubers targeted by blackmail campaign to promote malware on their channels
A laptop on a desk with the Windows 11 background on its screen.
Microsoft is adding image editing and compression to its Windows Share feature - and I couldn't be happier
A screen shot from a promotional video showing the HealthBuds fitness tracking earphones from Synseer
These mysterious wireless earbuds claim to monitor your heart and hearing health simultaneously, but there’s a catch
Homepage of Manus, a new Chinese artificial intelligence agent capable of handling complex, real-world tasks, is seen on the screen of an iPhone.
Manus AI may be the new DeepSeek, but initial users report problems
AdGuard VPN during TechRadar tests
AdGuard becomes the latest VPN to add post-quantum encryption
Twitter social media application change logo to X. Elon Musk CEO of twitter rebranded Twitter to &#039;X&#039;. Social media application technology concept.
X is down again – Elon Musk confirms 'massive cyberattack' as former Twitter site hit by fourth outage today
A hacker wearing a hoodie sitting at a computer, his face hidden.
Experts warn this critical PHP vulnerability could be set to become a global problem