The cyberattack against Kaseya’s remote VSA monitoring and management software has affected nearly 40 of the company’s local MSP customers, according to CEO Fred Voccola.
The New York and Miami-based IT service management company said the cyberattack only affected a small percentage of its 36,000+ customers, with none of Kaseya’s SaaS customers ever being at risk. Numerous security researchers – as well as the Cybersecurity and Infrastructure Security Agency (CISA) – called the incident a Supply chain chain ransomware attack, but Kaseya has not confirmed these reports.
“We believe we have identified the source of the vulnerability and are preparing a patch to limit it for our customers on-site that will be thoroughly tested,” Voccola wrote in an update posted on the website on Friday at 10pm ET published by Kaseya. “We’ll be releasing this patch as soon as possible to get our customers up and running again.”
The impact of the Kaseya cyberattack is likely to be far wider than just the 40 MSPs directly affected, as a single MSP often serves dozens (or even hundreds) of end customers. For example, managed detection and response (MDR) provider Huntress found that around 200 end users were encrypted, even though only three of the company’s MSP partners were actually compromised.
“If an MSP is compromised, we have seen evidence that it spread to all of the MSP’s customers through the VSA,” said John Hammond, senior security researcher at Huntress, in an email to CRN. “MSPs with over thousands of endpoints are hit.”
Similarly, Acronis told CRN that while not many of its MSP partners were affected, those who were affected suffered a deep blow as multiple systems across the MSP’s entire customer base were affected, said Ben Nowacky, SVP of Product . Affected MSPs should contact their insurance carrier to see if they need to work with a specific incident response provider and their backup provider for help with data recovery.
“The scope of the attack will really depend on how quickly it becomes known to shut down VSA until a patch can be released and that MSPs have their incident response plans up to date and can be executed,” Nowacky told CRN.
According to Voccola, Kaseya expects to restore VSA service to its SaaS customers within the next 24 hours once the company can confirm that those customers are not at risk. All local VSA servers should remain down until Kaseya instructs that it is safe to restore operations. The company said a patch must be installed before the local VSA can restart.
“We used our in-house incident response team and leading industry experts to conduct forensic investigations to help us determine the cause of the problem,” said Voccola wrote in his Friday night update. “We have notified law enforcement and state cybersecurity agencies, including the FBI and KAG. “
Several security researchers, including Huntress, have attributed the cyberattack on Kaseya VSA to the infamous ransomware gang REvil (also known as Sodinokibi), who were most recently behind the colossal attack on meat packing giant JBS. REvil was first spotted in April 2019 and refuses to attack machines in Russia or the former Soviet republics, CrowdStrike’s Adam Meyers told CRN in 2020.
A REvil victim was told that they would have to pay a $ 5 million ransom by July 5 to receive a decryptor. After that, the ransom would be doubled to $ 10 million, according to BleepingComputer. It is unclear whether the same ransomware sample was used for all victims or whether each MSP victim received their own ransom note. BleepingComputer said.
A text-based README file is written to various directories on the victim’s system that acts as a ransom note, according to a late Friday blog post by Cisco Talos.
“If you don’t cooperate with our service – for us that is [sic] does not matter, “wrote REvil in his ransom note according to a Screenshot posted by Talos. “But you will lose your time and your data because only we have the private key. In practice, time is much more valuable than money. ”
#Kaseya #VSA #ransomware #attack #hits #MSPs