Kaseya is focused on shrinking this time frame to the minimal possible – but if there are any issues found during the spin-up of SaaS, they want to fix them before bringing their on-premises customers up.
The On-Premises patch timeline is 24 hours (or less) from the restoration of SaaS services. The current estimate for bringing SaaS servers back online is July 6th between 4:00 PM – 7:00 PM EDT. Process for bringing SaaS and on-premises customers back online: VSA is the only Kaseya product affected by the attack and all other IT Complete modules are not impacted. Kaseya has had no new reports filed of compromises for VSA customers since Saturday July 3rd. Kaseya has not found evidence that any of their SaaS customers were compromised. Many of these customers provide IT services to multiple other companies Kaseya is aware of fewer than 60 Kaseya customers - all using the VSA on-premises product - who were directly compromised by this attack. Kaseya is sharing information in an Incident Overview & Technical Details document The ransomware is being widely attributed to the REvil gang. The hackers who claimed responsibility for the breach have demanded $50 million for a universal decryptor to reportedly restore all the affected businesses' data encrypted in over 1,000,000 systems.
About a dozen different countries have had organizations affected by the breach in some way, according to research published by cybersecurity firm ESET Kaseya is also cooperating with federal law enforcement to ensure that they have the information they need to investigate this attack.Īlthough most of those affected have been small offices - like dentists' offices or accountants’ - the disruption has been felt in Sweden, where hundreds of supermarkets had to close because their registers were inoperative and New Zealand, where 11 schools and kindergartens were knocked offline. Mandiant was engaged to investigate the incident and assess the manner and impact of the attack.
There is no evidence that Kaseya’s VSA codebase has been maliciously modified. The VSA procedure used to deploy the encryptor was named "Kaseya VSA Agent Hot-fix”. This is configurable within HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Kaseya\Agent\. However, the ransomware affiliate behind the attack obtained the zero-day's details and exploited it to deploy the ransomware before Kaseya could start rolling a fix to VSA customers.Īccording to Huntress, ransomware encryptors were dropped to Kaseya's TempPath with the file name agent.exe (c:\kworking\agent.exe by default). Kaseya was in the process of patching the zero-day vulnerability reported privately by researchers.
VSA is an RMM (Remote Monitoring and Management) software commonly used by MSPs to manage clients’ networks. This allowed the attackers to leverage the standard VSA product functionality to deploy ransomware to endpoints. The attackers were able to exploit a zero-day vulnerability (CVE-2021-30116) in the VSA product to bypass authentication and run arbitrary command execution.
One of Kaseya’s tools, the Virtual System Administrator (VSA), was subverted on Friday July 2nd, allowing ransomware actors to paralyze hundreds of businesses on five continents. Kaseya provides software tools to Managed Services Providers (MSPs) that typically handle IT and back-office work for companies too small or modestly-resourced to have their own departments. *A GRF Special Briefing webinar will be held on 7.7.21.