Kaseya ransomware attack: 1500 affected companies and a $70 million ransom demand
Kaseya, a Florida-based software company that provides tools for businesses to manage their networks, was revealed to be a victim of a large-scale ransomware attack that resulted in up to 1500 affected small and medium-sized companies. Perpetrators are demanding a record $70 million ransom for a universal decryptor that would supposedly help all victims restore their normal operations.
Kaseya is an IT solutions company that provides its customers with various software, including Virtual System/Server Administrator (VSA), a remote monitoring and management tool primarily used by managed service providers (MSPs). Overall, more than 40,000 organizations all over the world use one or more of Kaseya’s software solutions. On July 2, cybercriminals carried out a supply chain ransomware attack by using a vulnerability in Kaseya’s VSA software.
It is likely that carrying out the attack on the American Independence Day weekend was not a coincidence, as work hours are usually shorter before a holiday. With fewer employees present on Friday, the attack was more likely to succeed as reaction time may have been slower. What reportedly happened is the attackers, now identified as the notorious REvil ransomware gang, carried out a supply chain ransomware attack by using a vulnerability in Kaseya’s VSA and targeted managed service providers (MSPs) and their customers. It is estimated that approximately 60 of Kaseya’s customers were impacted but because many of them are MSPs, up to 1500 small to medium-sized companies could have been victims of an attack via their MSP.
Kaseya released a short statement informing of the attack on July 2, 2021, in which it recommended its customers immediately shut down their VSA servers until further notice. It also advised that the first thing attackers do is shut off administrative access to the VSA, thus immediate shutdown of VSA servers is critical. In a longer statement released six hours later, Kaseya explained that upon learning of the potential security incident involving their VSA software, the company immediately shut down its software-as-a-service (SaaS) servers as a precaution, and started notifying their on-premises customers via email, in-product notices, and phone to advise them to shut down their VSA servers to prevent them from being compromised. It then followed its established incident response process in order to determine the scope of the attack and how customers were affected. Law enforcement and government cybersecurity agencies (FBI, CISA, etc.) were immediately contacted.
By July 4, Kaseya was referring to the incident as a “sophisticated cyberattack”. Approximately 1500 companies are currently dealing with ransomware as a result of the supply-chain attack, with ransom requests varying between tens of thousands and millions of dollars. One victim is one of Sweden’s largest supermarket chains Coop. The supermarket giant was forced to temporarily shut down 800 of its physical stores after the attack. It is estimated that impacted businesses may take weeks to fully recover from the attack, depending on whether backups are available. Kaseya is offering a free detection tool for customers to check their networks and computers.
REvil has offered to release a universal decryption key, provided someone is willing to pay $70 million in bitcoin, the highest every sum requested by ransomware operators.
Kaseya was in the process of patching the vulnerability when the attack happened
Kaseya was aware of the vulnerability in question and was in the process of patching it when the attack occurred. The software company was informed of the flaw by security researchers from the Dutch Institute for Vulnerability Disclosure (DIVD) but ultimately, the REvil gang was able to beat Kaseya in using it before it got patched.
Head of Research at DIVD Victor Gevers notes that Kaseya was not delaying the patch and was, in fact, very cooperative.
“Once Kaseya was aware of our reported vulnerabilities, we have been in constant contact and cooperation with them. When items in our report were unclear, they asked the right questions. Also, partial patches were shared with us to validate their effectiveness. During the entire process, Kaseya has shown that they were willing to put in the maximum effort and initiative into this case both to get this issue fixed and their customers patched. They showed a genuine commitment to do the right thing. Unfortunately, we were beaten by REvil in the final sprint, as they could exploit the vulnerabilities before customers could even patch,” Gevers said in a statement.
WiperSoft.com is not sponsored, affiliated, linked to or owned by malware developers or distributors that are referred to in this article. The article does NOT endorse or promote malicious programs. The intention behind it is to present useful information that will help users to detect and eliminate malware from their computer by using WiperSoft and/or the manual removal guide.
The article should only be used for educational purposes. If you follow the instructions provided in the article, you agree to be bound by this disclaimer. We do not guarantee that the article will aid you in completely removing the malware from your PC. Malicious programs are constantly developing, which is why it is not always easy or possible to clean the computer by using only the manual removal guide.
Leave a comment