Ransomware attackers have purportedly utilized Kaseya, a software platform created to help manage IT services remotely, to deliver their payload just in time to mar the holiday weekend. On Friday, Sophos director and ethical hacker Mark Loman tweeted about the attack, claiming that unlocked systems will cost $44,999. Customers should turn off their VSA servers for the time being, according to a statement on Kaseya’s website, “since one of the first things the attacker does is disable administrative access to the VSA.”
Kaseya released a new warning on Saturday, claiming that its independent specialists had told it that “customers who have suffered ransomware and get a contact from the attackers should not click on any links – they may be weaponized.”
According to a study by Bleeping Computer, the assault targeted six large MSPs and encrypts data for up to 200 businesses.
Kevin Beaumont of DoublePulsar has given more details about how the assault appears to function, with REvil ransomware coming via a Kaseya update and infecting systems using the platform’s administrative credentials.
Once attacked, Managed Service Providers’ systems might attack the clients for whom they provide remote IT support (network management, system updates, and backups, among other things).
“We are investigating a potential attack against the VSA that appears to have been limited to a small number of our on-premises clients only,” Kaseya said in a statement to The Verge. According to a message, all of the company’s cloud servers are now in “maintenance mode,” a move that a spokeswoman said was made out of “abundance of caution.”
Kaseya CEO Fred Voccola made a statement later on Friday evening, estimating the number of MSPs affected to be fewer than 40 and preparing a patch to remediate the vulnerability.
“While our early indicators suggested that only a small percentage of on-premises customers were affected, we took a cautious approach in shutting down the SaaS servers to ensure we protected our more than 36,000 customers to the best of our ability,” Voccola said in the statement, adding that the company’s SaaS customers were never at risk and that “only a very small percentage…”
Bloomberg stated on Saturday that the hack had a ripple effect affecting over 1,000 organizations; the attack targeted managed service providers, but these providers supply IT services to other businesses that may now be affected as well. According to Bloomberg, a Swedish grocery chain was unable to open 800 of its stores on Saturday due to cash register malfunctions as a result of the attack.
The attack has been tied to the renowned REvil ransomware gang (which was previously linked to attacks on Acer and meat supplier JBS earlier this year), and The Record reports that this could be the third time Kaseya software has been used as a vector for the malware.
According to The Washington Post, President Biden indicated late Saturday afternoon that the US government was unsure whether Russia was involved in the strike. During a trip to Michigan, he told reporters, “I directed the intelligence community to give me a deep dive into what’s happened, and I’ll know better tomorrow, and if it’s either knowledge of or consequences of Russia, I promised Putin we’ll respond.” Biden went on to say that he had not yet spoken with Russian President Vladimir Putin about the situation.
Kaseya stated on Saturday that it would send updates every three to four hours on the issue.