Kaseya Ransomware Attack and the Implications of Microsoft Defender for Endpoint (MDE)


Oct 21, 2021

By now, the story of the Kaseya ransomware attack is a cautionary tale to all MSP’s and their clients. However, there’s more to the story than meets the eye. Let’s first examine the role Kaseya played in the attack.

The Problem:

Kaseya VSA is an on-premise solution used to manage remote assets. Many managed service providers (MSP) use this technology to manage their clients’ IT infrastructure. In order for this application to work, devices must establish a trust with this software. Some MSPs openly allow this on-premise application to be accessible from the internet.

Attackers were able to execute code against an unauthenticated user from the public internet. Also, Kaseya VSA requires high administrative privilege on the systems it is designed to manage- making it possible to disable Defender (among others) and execute ransomware. In addition, the Kaseya VSA agent requires exclusions for it to co-exist with various Anti-Virus technologies installed on those assets. This opens the door for nefarious actors to control MSP client assets in many ways through privilege escalation.

[Ref: https://doublepulsar.com/kaseya-supply-chain-attack-delivers-mass-ransomware-event-to-us-companies-76e4ec6ec64b]

Secondly, to really understand the implications for Microsoft Defender for Endpoint, we need to break down the REvil ransomware used in the attack.

PowerShell Cmdlets were used to tamper with Microsoft Defender. Real-time Monitoring, IOAV Protection, Intrusion Prevention System, Script Scanning, Controlled Folder Access, Network Protection, MAPS Reporting, and Sample submission were all disabled.

Once Defender was disabled, a “dropper got executed. Two files were downloaded and saved to a folder by the dropper: “MsMpEng.exe (a valid Windows Defender executable) and mpsvc.dll (the ransomware payload) which were placed into the victim’s AppData/Local/Temp folder.

Please note that the legitimate Defender binary is executed from \ProgramData\Microsoft\Windows Defender\Platform\\MsMpEng.exe and is started by a service “WinDefend.

SecThe tampered MsMpEng.exe binary downloaded by REvil was a Microsoft digitally signed file having a timestamp of March 2014.

REvil, who took credit for the ransomware, uses a DLL side loading technique to execute the ransomware code. MsMpgEng.exe will load the functions of MpSvc.dll when it’s executed. The ransomware code is contained in the DLL file which is called by the MsMpEng.exe binary located in the Temp folder.

[Ref: https://doublepulsar.com/kaseya-supply-chain-attack-delivers-mass-ransom

https://www.mcafee.com/blogs/other-blogs/mcafee-labs/revil-ransomware-uses-dll-sideloading/ ]

Traditionally, if a user has local administrative privilege on a system they are capable of tampering with Defender. Eventually, Defender will turn itself back on. Domain Administrators can also disable Defender by pushing Group Policy Preferences to systems. These settings are more permanent until reverted.

[Ref: https://doublepulsar.com/kase[Ref: https://kb.fortinet.com/kb/microsites/microsite.do?cmd=displayKC&docType=kc&externalId=FD52622]

The Solution: Tamper Protection

Defender for Endpoint would not have been affected by this campaign had Tamper Protection been enabled and system requirements met. In addition, Defender for Endpoint would have alerted the Tamper events affecting Defender.

When a tampering attempt is detected, an alert is raised in the Microsoft 365 Defender portal.

Using endpoint detection and response and advance hunting capabilities in Microsoft Defender for Endpoint, your security operations team can investigate and address such attempts.

Tamper Protection is available for:

  • Windows 10
  • Windows Server 2019
  • Windows Server, version 1803 or later
  • Windows Server 2016

With Tamper Protection, malware is prevented from taking actions such as:

  • Disabling virus and threat protection
  • Disabling real-time protection
  • Turning off behavior monitoring
  • Disabling antivirus (such as IOfficeAntivirus (IOAV))
  • Disabling cloud-delivered protection
  • Removing security intelligence updates

Tamper Protection locks Microsoft Defender Antivirus to its secure, default values, and prevents security settings from being changed through applications and methods such as:

  • Configuration of settings in Registry Editor
  • Changing settings through PowerShell Cmdlets (As seen in REvil)
  • Editing or removing security settings through Group Policy

Tamper protection does not:

  • Prevent users from viewing security settings.
  • Affect how non-Microsoft antivirus applications register with the Windows Security app.

If an organization is using Windows 10 Enterprise E5, individual users cannot change tamper protection settings. At this level, Security Teams manage tamper protection. It can be configured in the Microsoft 365 Defender portal.

[Ref: https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection?view=o365-worldwide




Enterprise level clients have many criteria to examine when evaluating IT security software choices; along with their cost. When news such as the recent supply chain attacks hits the executive boardroom, doubts eventually creep into the once trusted options. It is possible for executive level decision makers to get information overload or draw incorrect conclusions based on limited available information. Speak to a Difenda representative to ensure you are always well-informed.

Defender for Endpoint would not have been affected by this campaign had Tamper Protection been enabled and system requirements met. In addition, Defender for Endpoint would have alerted the Tamper events affecting Defender.

Our Microsoft Security Services