Resources for DFIR Professionals Responding to the REvil Ransomware Kaseya Supply Chain Attack

Resources for DFIR Professionals Responding to the REvil Ransomware Kaseya Supply Chain Attack

Yesterday Sophos and Huntress Labs identified that Kaseya, a remote management provider popular with MSPs, was compromised to deploy a supply chain ransomware attack. A large number of organisations were impacted, including temporarily shutting 800 stores at the CoOp supermarket chain in Sweden.

We have provided a number of resources on our Github that may help Digital Forensics and Incident Response experts responding to these attacks over the weekend:

  • Forensic Analysis and Reporting
  • Malware Samples
  • Decompiled Malware Samples (via retdec)
  • PCAP of network traffic capture from an infected system
  • Indicators of Compromise and Yara Rules
  • Configuration and Ransomware Note
  • Full disk captures from an infected system (See Releases)
Owner
Cado Security
We're building a platform to push digital forensics forward into the cloud era.
Cado Security
Similar Resources

Phantom Attack: Evading System Call Monitoring

Phantom attack is a collection of attacks that evade Linux system call monitoring. A user mode program does not need any special privileges or capabilities to reliably evade system call monitoring using Phantom attack by exploiting insecure tracing implementations.

Jun 1, 2022

Living off the Land Attack in Linux, load an anonymous file in memory.

Living off the Land Attack in Linux, load an anonymous file in memory.

ELFMemoryLoader Living off the Land Attack in Linux。 Linux场景下的核心载荷不落地攻击。 Loader get elf data from remote server, then use file descriptor to run elf i

Jan 8, 2022

This is Script tools from all attack Denial of service by C programming

RemaxDos Paltfrom Attack RemaxDos This is Script tools from all attack Denial of service Remax Box Team !. Features ! Cam overflow Syn Flooding. Smurf

Jul 19, 2022

Implementation of the key recovery attack against GEA-1 keys (Eurocrypt 2021)

GEA1_break This tool implements the attack against the GEA-1 described in Cryptanalysis of the GPRS Encryption Algorithms GEA-1 and GEA-2. GEA-1 is on

Jul 6, 2022

Patch for Titanfall 2 that helps prevent disconnects while the servers are being attacked by a DoS attack.

Titanfall2 DeltaBuf patch This patch for Titanfall 2 helps prevent disconnects while the servers are being attacked by a DoS attack. Disclaimer This i

Jul 30, 2022

Ramp is a HID attack program that steals all connected WiFi passwords within 13 seconds.

Ramp is a HID attack program that steals all connected WiFi passwords within 13 seconds.

Ramp Ramp is a HID attack program that steals all connected WiFi passwords within 13 seconds. Tested Windows 10 Warning Ramp has been created for the

Jun 10, 2022

Resources gathered for reverse engineering the FNIRSI-1013D scope

# FNIRSI-1013D-Hack Resources gathered for reverse engineering the FNIRSI-1013D scope As part of what is on EEVBLOG, resources for the reverse engine

Aug 3, 2022

Current and past resources for the UNSW courses I have tutored.

James' tutoring resources The home for the code/solutions/etc. from my tutorials, as well as any other resources as I see fit. Table of contents Cours

Jun 4, 2022

Competitive Programming Implementations, Resources, Solutions, and Tools

In competitive programming contests, one must write computer programs capable of solving clear-cut problems under the given contraints and limits. Most competitive programmers use C++, Java, or Python.

Sep 23, 2021
Comments
  • Please clarify role of domains in IOCs

    Please clarify role of domains in IOCs

    Please clarifiy the role of the domains in https://github.com/cado-security/DFIR_Resources_REvil_Kaseya/blob/main/IOCs/Domains.txt . Are these part of a C2 infrastructure or are those compromised domains, etc? Please clarify.

ESP32 based USB C Programmable Power Supply
ESP32 based USB C Programmable Power Supply

ESP32 USB-C Power Supply The idea for this ESP32 usb-c power supply project came to me when I discovered that components exist that communicate to par

Aug 3, 2022
Small Linux ransomware with no sudo requirement.

Info This is a little project made by me which encrypts the entire home directory and plays for you Blackjack. If you lose, your data stays encrypted

Dec 2, 2021
Our very own ransomware for Linux

quierollorar Our very own ransomware for Linux quierollorar.sh encripta todo el contenido de la carpeta private/ parodellorar.sh desencripta todo el c

Nov 9, 2021
🔬Collection of malware, ransomware, RATs, botnets, stealers, etc.
🔬Collection of malware, ransomware, RATs, botnets, stealers, etc.

?? Malware collection (جمع البرامج الضارة) What is it? In this repository you can find a huge collection of malicious software that was found on githu

Aug 10, 2022
PoC ransomware. Inspired by Mr. Robot
PoC ransomware. Inspired by Mr. Robot

Fsociety Ransomware This is a small piece of software intended to be a PoC (Proof of Concept) of a ransomware with similar GUI to the one seen in Mr.

Jun 30, 2022
Simple sensor filter chain nodes and nodelets

sensor_filters This package is a collection of nodes and nodelets that service a filters::FilterChain for message types from sensor_msgs package. Each

Jun 30, 2022
Basic physics simulation of a chain

Basic Chain Simulation Compile using for example $ g++ ChainElement.cpp ChainLink.cpp Chain.cpp Simulation.cpp main.cpp -std=c++11 -o run -O3 The outp

Jul 19, 2022
Exploring possibilities of ESP32 platform to attack on nearby Wi-Fi networks.
Exploring possibilities of ESP32 platform to attack on nearby Wi-Fi networks.

ESP32 Wi-Fi Penetration Tool This project introduces an universal tool for ESP32 platform for implementing various Wi-Fi attacks. It provides some com

Aug 10, 2022
King Hamlet is a simple tool, which allows you to perform a Process Ghosting Attack

KingHamlet Process Ghosting Tool - 64 bits Only! King Hamlet is a simple tool, which allows you to perform a Process Ghosting Attack

Jul 27, 2022
🎮 Plants vs. Zombies multiplayer battle, developed via reverse engineering, inline hook and dynamic-link library injection. Two online players defend and attack as the plant side and zombie side respectively.
🎮 Plants vs. Zombies multiplayer battle, developed via reverse engineering, inline hook and dynamic-link library injection. Two online players defend and attack as the plant side and zombie side respectively.

Plants vs. Zombies Online Battle This project has two original repositories: https://github.com/czs108/Plants-vs.-Zombies-Online-Battle https://github

Oct 14, 2021