Ride the Lightning

Kaseya Ransomware Attack: $70 Million Ransom Demand, 1,500 Companies Impacted

July 7, 2021

ZDNet reported on July 6 that enterprise tech firm Kaseya has confirmed that approximately 1,500 businesses were impacted as a result of an attack on its remote device management software, which was used to spread ransomware.

Apparently the attackers carried out a supply chain ransomware attack by leveraging a previously unknown vulnerability in Kaseya’s VSA software against multiple managed service providers (MSP) and their customers. VSA is remote monitoring and management software, which is used to manage endpoints, such as PCs, servers and cash registers, as well as manage patching and security vulnerabilities.

“To date, we are aware of fewer than 60 Kaseya customers, all of whom were using the VSA on-premises product, who were directly compromised by this attack. While many of these customers provide IT services to multiple other companies, we understand the total impact thus far has been to fewer than 1,500 downstream businesses. We have not found evidence that any of our SaaS customers were compromised,” Kaseya said in an update on the attack.

On July 4, the attackers asked for $70 million in exchange for a universal decryption tool that they claimed would resolve the REvil issue for Kaseya and its customers.

While Kaseya’s software-as-a-service (SaaS) line of VSA was not affected, its servers were taken down during the incident response and remain offline.

Kaseya has developed a patch for customers running VSA on their own servers which should already be available or be available shortly.

Kaseya worked with the FBI and CISA on July 5 to discuss systems and network hardening tasks prior to restoring services for its SaaS and on-premises customers.

“A set of requirements will be posted prior to service restart to give our customers time to put these counter measures in place in anticipation of a return to service on July 6th,” it noted.

The company has also released a new, free compromise detection tool that customers can use to check networks and computers. The new version searches for indicators of compromise, data encryption, and the REvil ransom note.

“We recommend that you re-run this procedure to better determine if the system was compromised by REvil,” Kaseya said.

Kaseya urged customers to keep VSA servers offline until it’s safe to proceed with restoration efforts.

In other news, PC Magazine reported that President Biden has ordered U.S. intelligence agencies to investigate the REvil ransomware attack against Kaseya.

Sharon D. Nelson, Esq., President, Sensei Enterprises, Inc.
3975 University Drive, Suite 225|Fairfax, VA 22030
Email:  Phone: 703-359-0700
Digital Forensics/Cybersecurity/Information Technology
https://senseient.com
https://twitter.com/sharonnelsonesq
https://www.linkedin.com/in/sharondnelson
https://amazon.com/author/sharonnelson