Russia-linked cybercriminal gang REvil has exploited Kaseya’s cloud-based IT management and remote monitoring software to hit managed service providers (MSPs) and their customers in the biggest global ransomware attack on record.
Details are still unfolding, but thousands of victims in at least 17 countries have been impacted in the attack, which was carefully timed to coincide with the Fourth of July holiday weekend, when offices tend to be lightly staffed.
REvil hacked into Kaseya’s VSA software—leveraging a zero-day vulnerability (CVE-2021-30116) the company was reportedly in the process of patching—and pushed ransomware to systems under its management, disabling them. A cryptocurrency payment of about $45,000 per system was then demanded for a decryption key. On its “Happy Blog” (pictured below), REvil claims that approximately one million systems are affected, and offered a “bulk discount” of $70 million to unlock them all in a single payment. That price has since been quietly lowered to $50 million, suggesting the scale of the attack may be making it hard to monetize.
The full scope of victim organizations is not yet known. Kaseya CEO Fred Voccola estimated the number to be in the low thousands, mostly small businesses like “dental practices, architecture firms, plastic surgery centers, libraries, things like that.”
Voccola said in an interview that only about 50-60 of the company’s 37,000 customers were compromised. But 70% are MSPs that use the hacked software to manage numerous customers.
According to Sophos CISO Ross McKerchar, a broad array of organizations have been hit on all continents, including schools, small public-sector bodies, travel and leisure organizations, and credit unions. Germany’s federal cybersecurity watchdog said on Sunday an unidentified IT service provider with several thousand customers had been hit.
Chain reactions fed disruption over the weekend. Swedish grocery store Coop had to close hundreds of stores because its cash registers are run by Visma Esscom, which manages servers for a number of Swedish businesses and in turn uses Kaseya. In New Zealand, multiple schools were affected.
As of this morning, Kaseya’s SaaS cloud servers remain offline. An updated timeline for server restoration is expected today, along with more technical details of the attack to help recovery efforts by customers and security researchers.
The White House deputy national security adviser for cyber and emerging technology, Anne Neuberger, said in a statement that the FBI and the Department of Homeland Security’s cyber arm “will reach out to identified victims to provide assistance based upon an assessment of national risk.”
We can evaluate your environment and incident response capabilities, and help remediate any weaknesses.