Russia-linked cybercriminal gang REvil has exploited Kaseya’s cloud-based IT management and remote monitoring software to hit managed service providers (MSPs) and their customers in the biggest global ransomware attack on record.
Details are still unfolding, but thousands of victims in at least 17 countries have been impacted in the attack, which was carefully timed to coincide with the Fourth of July holiday weekend, when offices tend to be lightly staffed.
SolarWinds With Ransomware
REvil hacked into Kaseya’s VSA software—leveraging a zero-day vulnerability (CVE-2021-30116) the company was reportedly in the process of patching—and pushed ransomware to systems under its management, disabling them. A cryptocurrency payment of about $45,000 per system was then demanded for a decryption key. On its “Happy Blog” (pictured below), REvil claims that approximately one million systems are affected, and offered a “bulk discount” of $70 million to unlock them all in a single payment. That price has since been quietly lowered to $50 million, suggesting the scale of the attack may be making it hard to monetize.
REvil Ransom Demand
Who is Affected?
The full scope of victim organizations is not yet known. Kaseya CEO Fred Voccola estimated the number to be in the low thousands, mostly small businesses like “dental practices, architecture firms, plastic surgery centers, libraries, things like that.”
Voccola said in an interview that only about 50-60 of the company’s 37,000 customers were compromised. But 70% are MSPs that use the hacked software to manage numerous customers.
According to Sophos CISO Ross McKerchar, a broad array of organizations have been hit on all continents, including schools, small public-sector bodies, travel and leisure organizations, and credit unions. Germany’s federal cybersecurity watchdog said on Sunday an unidentified IT service provider with several thousand customers had been hit.
Chain reactions fed disruption over the weekend. Swedish grocery store Coop had to close hundreds of stores because its cash registers are run by Visma Esscom, which manages servers for a number of Swedish businesses and in turn uses Kaseya. In New Zealand, multiple schools were affected.
As of this morning, Kaseya’s SaaS cloud servers remain offline. An updated timeline for server restoration is expected today, along with more technical details of the attack to help recovery efforts by customers and security researchers.
The White House deputy national security adviser for cyber and emerging technology, Anne Neuberger, said in a statement that the FBI and the Department of Homeland Security’s cyber arm “will reach out to identified victims to provide assistance based upon an assessment of national risk.”
What You Can Do
- Follow Kaseya’s guidance to immediately shut down VSA servers.
- Report compromised systems to the Internet Crime Complaint Center.
- Implement mitigation techniques recommended by CISA and the FBI:
- Check systems for signs of compromise using a detection tool provided by Kaseya over the weekend. The tool analyzes a system (either VSA server or managed endpoint) and determines whether any indicators of compromise (IoCs) are present.
- Enable and enforce MFA wherever possible.
- Ensure backups are up to date and stored in an easily retrievable location that is air-gapped from the organizational network.
- Revert to a manual patch management process that follows vendor remediation guidance, including the installation of new patches as soon as they become available.
- Implement the principle of least privilege on key network resource admin accounts.
Contact Us
We can evaluate your environment and incident response capabilities, and help remediate any weaknesses.
