REvil ransomware attacks systems using Kaseya's remote IT management software

Ransomware attackers used Kaseya, a platform that allows remote management of IT services, to deliver their payload just in time for the holiday weekend. Mark Loman, Sophos' director and ethical hacker, tweeted about the attack earlier today. Now reports state that affected systems will need to be unlocked for $44,999. Kaseyas has a note urging customers to immediately shut down their VSA servers. This is because the attacker will first shut down administrative access to the VSA.News Flash: Cybercriminals are a$$holes.Remember all Incident Response teams as they are in the thicket of it again this holiday weekend.You should close Kaseya VSA until instructed to reactivate it and start IR. Here's the binary: https://t.co/NIuGJZW84p http://t.co/GSXPlOPjFt Chris Krebs, @C_C_Krebs July 2, 2021Bleeping Computer reports that the attack was on six large MSPs, and encrypted data for up to 200 companies.Kevin Beaumont, from DoublePulsar has provided more information about the attack. REvil ransomware arrived via a Kaseya Update and used the platforms administrative privileges infected systems. Once managed service providers are infected, they can attack clients who use their remote IT services (network management, system upgrades, backups, etc.).Kaseya stated that they are investigating a possible attack on the VSA. The statement was made by Kaseya to The Verge. Fred Voccola, Kaseya CEO, said that they have prepared a patch and estimated that less than 40 MSPs are affected.The REvil ransomware gang is suspected in today's attack. They were already linked to attacks against Acer and JBS meat supplier JBS earlier in the year. The Record also notes that they may have collected incidents under multiple names, making this the third time Kaseya has been used as a vector for their exploits.Kaseyas Incident Response Team discovered a possible security incident with our VSA software on Friday, July 2, 2021 at around noon (EST/US). As a precaution, we immediately shut down all SaaS servers. We had not yet received any reports of compromise from hosted or SaaS customers. We also immediately notified on-premises customers by email, in-product notices and phone. This was to prevent any potential security incidents. To determine the extent of the incident, and to notify our customers affected, we followed our standard incident response procedure. To determine the root cause, we engaged our own incident response team as well as industry experts to conduct forensic investigations. We also notified law enforcement agencies and government cybersecurity agencies such as the FBI and CISA. Although early indicators indicated that only a few customers on-premises were affected, we decided to take a more conservative approach to shutting down SaaS servers in order to protect our 36,000 customers. Our customers have been very happy with our prompt and proactive response. Although our investigation continues, we believe that none of our SaaS customers are at-risk. Once we confirm that they are safe, we will restore service to them. We estimate that less than 40 customers worldwide were at risk. We have found the source of the vulnerability. A patch will be prepared to address it for customers on-premises. This patch will be thoroughly tested. To get customers up and running again, we will release the patch as soon as possible. It is a proud moment to say that the team had a plan and was able to execute it perfectly today. The vast majority of our customers reported that they had no problems. I am thankful to the industry partners, our outside experts and our internal teams for their help in bringing this about. Kaseya's commitment to putting customers first and providing the best support for their products is evident in today's actions. Fred Voccola is Kaseya's CEO.Update July 2, 2010, 10:40 ET: Kaseya CEO has added a statement.