We now know how widespread the ransomware attack has been three days after it began by attacking Kaseya VSA. The attackers demand $70 million to unlock the affected computers.Managed Service Providers use Kaseyas software to remotely perform IT tasks. However, on July 2, the Russia-linked REvil ransomware organization released a malicious update that exposed providers and clients who use the platform.The Dutch Institute for Vulnerability Disclosure revealed that the exploit used for the attack was the same one they had discovered, and were working to fix it when the attackers struck. DIVD stated that we were already conducting a wide investigation into the vulnerabilities of backup and system administration tools. Kaseya VSA is one of the products that we are currently investigating. We found severe flaws in Kaseya VSA, and we reported them to Kaseya. Since then, we have maintained regular contact with Kaseya.We anticipate that the scope of victim organizations will be greater than what is being reported by any security company.Fred Vocolla, Kaseya CEO, stated Friday that only a small number of customers were affected by the ransomware attack. This was one of the most extensive criminal ransomware attacks Sophos has ever witnessed. Our evidence indicates that over 70 managed service providers were affected, which in turn led to more than 350 additional impacted organizations. We anticipate that the true scope of victims organizations will be greater than reported by any security company.Anne Neuberger, Deputy National Security Advisor Cyber and Emerging Technology, responded to President Biden's earlier comments. She stated that the FBI and CISA would reach out to victims identified to offer assistance based on an assessment of national security risk.Huntress Labs participated in the response and has cataloged all the information available. It claims that the attack compromised more than 1,000 businesses it tracks.Kaseyas SaaS Cloud Servers remain offlineHuntress, Sophos and other ransomware experts pointed to the post above on REvils Happy Blog. It claimed that over a million devices were infected, and demanded $70 million in Bitcoin as ransom to unlock them all. REvil is linked to several ransomware attacks, including an attack on Kaseya in June 2019 and an earlier incident that targeted JBS meat supplier JBS. Security researcher Marcus Hutchins expressed doubt about the claims of the groups, saying that they might be exaggerating the impact in order to extract a large payment from Kaseya, or another.Coop is the company most affected by the attack. This line includes over 800 grocery shops in Sweden. Coop closed its doors on Saturday after the attack. Coop's website states that stores where customers can use the Coops Scan & Pay app to shop have reopened while other locations remain closed. Experts predict that more victims will be discovered in the US on Tuesday, when workers return from work.Kaseyas SaaS Cloud Servers remain offline three days after the attack. According to the company, it will update customers with a timeline for server restoration by this evening. It will also provide more technical details about the attack to aid in recovery efforts by security researchers and customers.
