Posted: 2 Min ReadExpert Perspectives
Translation: 日本語

Uncovering Kaseya REvil Attack

Dynamic sandboxing and community protection

The world learned of the Kaseya REvil attack on July 2. The supply-chain exploit ultimately impacted 1,500 organizations, one million endpoints and demanded $70 million in ransom. The good news for Symantec customers? We identified the malware through automated sandboxing and protected our customers 90 seconds after its discovery.

The information that identified the REvil attack was turned into proactive protection immediately for all Symantec Secure Web Gateway customers, including Web Security Service.

At the time, we didn’t have a specific signature of the Kaseya malware – and we didn’t need it. Instead, our automated Malware Analysis capability spotted the code’s malicious behavior. Symantec has developed a cloud-based, multi-tiered solution that includes advanced analysis techniques to identify and neutralize malware designed to evade detection technology. These techniques block known threats, analyze anything new and unknown, and combat evolved attacks. This service is delivered via Symantec’s distributed global cloud datacenter network, providing local access to critical security services from a certified, redundant, and highly available environment.

The key is sandboxing. That means we pull unknown or suspicious code aside on the fly when it comes across a customer’s network. Next, we safely execute it on a virtual machine without risking harm to the host device or network. In effect, Symantec automatically detonates the unknown file and watches and records what happens. Our sophisticated sandbox  fools the code into executing its malicious behavior by mimicking the download and even the keystrokes so the malware behaves as if it has found its  unwitting target. And it just takes seconds. In the past, malware could run in the wild for days before being identified.

The information that identified the REvil attack was turned into proactive protection immediately for all Symantec Secure Web Gateway customers, including Web Security Service.

Malicious code always acts badly. We don’t care whether it’s wearing a signature hat or mask – is it trying to rob the bank? Malware has specific behavior patterns that we’ve come to recognize. Watching for these actions has the added benefit of helping spot unknown, “zero day” malware quickly. When found, the miscreant files are quarantined, a user session can be terminated, and the details forwarded to the Symantec Global Intelligence Network (GIN) to enhance protection for all our customers.

Symantec automatically updates its intelligence on millions of malicious files and URL threat indicators every day to the GIN. From endpoints to servers, and at the network traffic level, we share telemetry amassed from 15,000 Symantec customer companies across the globe. That includes information correlated from millions of endpoints and network sensors.

It's about being part of a larger security community, backed by an industry leader. I encourage you to investigate more on Symantec GIN and our Web Protection Suite.

With us, there’s strength in numbers.

Symantec Enterprise Blogs
You might also enjoy
Feature Stories4 Min Read

Symantec Security Summary - September 2021

Ransomware, Crypto and Blockchain updates

Symantec Enterprise Blogs
You might also enjoy
Threat Intelligence4 Min Read

Kaseya Ransomware Supply Chain Attack: What You Need To Know

Supply chain attack against MSP software used to deliver REvil ransomware to hundreds of organizations

About the Author

Patrik Runald

Head of Threat Detection for Network Security at Broadcom Software

Patrik is the Head of Threat Detection for Network Security at Broadcom Software where he leads the development of multiple technologies that help protect Broadcom Software's enterprise customers. He has worked in the IT security field since 1995.

Want to comment on this post?

We encourage you to share your thoughts on your favorite social platform.