Ransomware spread using Kaseya-VSA

Threat Alert

On Friday, July 2, it became known that some VSA servers of security software provider Kaseya, spread ransomware via a hijacked software update. Kaseya has already informed about the potential attack on its VSA software and for this reason has already shut down the cloud-based version. Despite the immediate measures taken, hackers were able to attack up to 40 Kaseya customers.


What happened?

The Russian hacker group “REvil” initiated the ransomware attack by means of a supply chain attack, i.e. an incident in the supply chains. This enabled them to launch a large number of Kaseya installations and install ransomware on MSP customers’ IT environments. The affected victims are small to medium-sized businesses. As a result of the attack, there has been a major data loss at affected customers, in some cases the computers have become completely unusable.
As a result of this attack, large companies in Sweden such as Coop, St1 Energy and Swedish Railways were affected by the hack. Millions of people were unable to pay for food, gasoline, medicines, or even train tickets with cash.

What can you do to protect yourself?

We recommend that all providers running the Kaseya VSA software on their infrastructure shut down their VSA servers immediately. All on-premises VSA servers should remain offline until you receive further instructions from Kaseya.
SaaS and hosted VSA servers will be brought back online once Kayseya determines it is safe to bring the systems back up.
Customers can request a new Compromise Detection Tool from Kaseya VSA by sending an email to support@kaseya.com with “Compromise Detection Tool Request” in the subject line.

Kaseya stresses that patching the affected server is not enough:

  1. Take VSA server offline until patches are applied
  2. Keep backups for critical systems

If you have any questions, please feel free to contact Perseus Emergency Response.