Ransomware Attack on Kaseya, a Software Firm, Threatens Business Globally

The cyber-attack against Kaseya’s VSA remote monitoring and management software has affected almost 40 of the company’s on-premises MSP customers, as said by CEO Fred Voccola.

The New York and Miami-based IT service management seller said the cyber-attack impacted only a small percentage of its more than 36,000 customers, with none of Kaseya’s SaaS customers ever at risk. Many security researchers – in addition to the Cybersecurity and Infrastructure Security Agency (CISA) – have called the case a supply-chain ransomware attack, but Kaseya hasn’t confirmed those reports.

“We believe that we have identified the source of the vulnerability and are preparing a patch to mitigate it for our on-premises customers that will be tested thoroughly,” Voccola penned in an update posted to Kaseya’s website at 10 p.m. ET Friday. “We will release that patch as quickly as possible to get our customers back up and running.”
The impact of the Kaseya cyber-attack is probably to be considerably more far-reaching than just the 40 directly affected MSPs since a single MSP often serves dozens (or even hundreds) of end customers. For example, managed detection and response (MDR) seller Huntress found that approximately 200 end users had been encoded although just three of the company’s MSP partners were actually compromised.

“When an MSP is compromised, we’ve seen proof that it has spread through the VSA into all the MSP’s customers,” John Hammond, a senior security researcher at Huntress, said in a statement emailed to CRN. “MSPs with over thousands of endpoints are being hit.”
“The scope of the attack is really going to be determined by how quickly word gets out shutting down VSA until a patch can be released, and MSPs having their incident response plans current and able to be executed,” Nowacki expressed CRN.

Voccola said Kaseya is supposed to restore VSA service to its SaaS customers within the next 24 hours once the company can confirm that these customers are not at risk. All on-premise VSA servers should continue to remain down until Kaseya instructs that it’s safe to restore operations. The company said a patch will have to be installed before resuming the on-premise VSA.

“We engaged our internal incident response team and leading industry experts in forensic investigations to help us determine the root cause of the issue,” Voccola wrote in his Friday evening update. “We notified law enforcement and government cybersecurity agencies, including the FBI and CISA.”         

Some security investigators, including Huntress, have attributed the Kaseya VSA cyber-attack to the notorious REvil ransomware gang (also known as Sodinokibi), which was latterly behind the colossal attack on meatpacking giant JBS. REvil was first marked in April 2019 and declines to target machinery set in Russia or the former Soviet republics, CrowdStrike’s Adam Meyers said CRN in 2020.    

One REvil victim was voiced they would have to pay a $5 million ransom by July 5 to obtain a decryptor, after which point the ransom would be doubled up to $10 million, as stated by BleepingComputer. It is uncertain if a similar ransomware trial was used against all victims or if every MSP victim received its own separate ransom demand, Bleeping Computer said.

“If you will not cooperate with our service – for us, it [sic] does not matter,” REvil wrote in its ransom note, consistent with a screenshot posted by Talos. “But you will lose your time and data because just we have the private key. In practice – time is much more valuable than money.”

Source: https://www.crn.com/news/security/kaseya-vsa-ransomware-attack-hits-nearly-40-msps