Uncovering Kaseya REvil Attack

The world learned of the Kaseya REvil attack on July 2. The supply-chain exploit ultimately impacted 1,500 organizations, one million endpoints and demanded $70 million in ransom. The good news for Symantec customers? We identified the malware through automated sandboxing and protected our customers 90 seconds after its discovery.

The information that identified the REvil attack was turned into proactive protection immediately for all Symantec Secure Web Gateway customers, including Web Security Service.

At the time, we didn’t have a specific signature of the Kaseya malware – and we didn’t need it. Instead, our automated Malware Analysis capability spotted the code’s malicious behavior. Symantec has developed a cloud-based, multi-tiered solution that includes advanced analysis techniques to identify and neutralize malware designed to evade detection technology. These techniques block known threats, analyze anything new and unknown, and combat evolved attacks. This service is delivered via Symantec’s distributed global cloud datacenter network, providing local access to critical security services from a certified, redundant, and highly available environment.

The key is sandboxing. That means we pull unknown or suspicious code aside on the fly when it comes across a customer’s network. Next, we safely execute it on a virtual machine without risking harm to the host device or network. In effect, Symantec automatically detonates the unknown file and watches and records what happens. Our sophisticated sandbox  fools the code into executing its malicious behavior by mimicking the download and even the keystrokes so the malware behaves as if it has found its  unwitting target. And it just takes seconds. In the past, malware could run in the wild for days before being identified.

Malicious code always acts badly. We don’t care whether it’s wearing a signature hat or mask – is it trying to rob the bank? Malware has specific behavior patterns that we’ve come to recognize. Watching for these actions has the added benefit of helping spot unknown, “zero day” malware quickly. When found, the miscreant files are quarantined, a user session can be terminated, and the details forwarded to the Symantec Global Intelligence Network (GIN) to enhance protection for all our customers.

Symantec automatically updates its intelligence on millions of malicious files and URL threat indicators every day to the GIN. From endpoints to servers, and at the network traffic level, we share telemetry amassed from 15,000 Symantec customer companies across the globe. That includes information correlated from millions of endpoints and network sensors.

It's about being part of a larger security community, backed by an industry leader. I encourage you to investigate more on Symantec GIN and our Web Protection Suite.

With us, there’s strength in numbers.