Resources for DFIR Professionals Responding to the REvil Ransomware Kaseya Supply Chain Attack

Yesterday Sophos and Huntress Labs identified that Kaseya, a remote management provider popular with MSPs, was compromised to deploy a supply chain ransomware attack. A large number of organisations were impacted, including temporarily shutting 800 stores at the CoOp supermarket chain in Sweden.

We have provided a number of resources on our Github that may help Digital Forensics and Incident Response experts responding to these attacks over the weekend:

• Forensic Analysis and Reporting
• Malware Samples
• Decompiled Malware Samples (via retdec)
• PCAP of network traffic capture from an infected system
• Indicators of Compromise and Yara Rules
• Configuration and Ransomware Note
• Full disk captures from an infected system (See Releases)