No one knows at this time how the attackers compromised Kaseya’s VSA, but the REvil ransomware appears to be entering customer networks via a Kaseya update and spreading to all connected client systems via VSA’s internal scripting engine. Independent security firm Huntress Labs told Reuters the attack has “the potential to spread to any size or scale business.” What does the attack look like? “CISA encourages organizations to review the Kaseya advisory and immediately follow their guidance to shutdown VSA servers,” the agency said in a National Cyber Awareness System alert. The Cybersecurity and Infrastructure Security Agency doesn’t think so.
Isn’t shutting down the servers a little excessive?
Sophos has also released a detailed guide for potential victims to figure out if they are under attack.
The company said in an earlier update that it believes it had identified the source of the vulnerability and is developing and testing a security patch to mitigate the issue. “All on-premise VSA servers should continue to remain down until further instructions for Kaseya about when it isafe to restore operations,” the company said in its latest update.Ī patch will be required to be installed prior to restarting VSA, Kaseya said. Organizations running Kaseya VSA in their networks should shut down those servers immediately. Here’s a breakdown of the supply chain ransomware attack against Kaseya VSA and what it means for enterprises. The gang behind the attack - REvil - is the same one the Federal Bureau of Investigation said impacted JBS a few weeks ago.
The attack against Kaseya’s systems is the latest in a series of recent attacks against critical infrastructure and manufacturing companies across the United States: Colonial Pipeline, Molson Coors, and JBS Meads. Data is the lifeblood of a modern company - when ransomware encrypts the files and makes it inaccessible, it brings that company to a standstill. Ransomware has been around for years, but has surged recently, with nearly 2,400 governments, health-care systems and schools in the country hit by ransomware in 2020, according to the Ransomware Task Force.
The company said SaaS and hosted VSA servers “will become operational once Kaseya has determined that we can safely restore operations.”
The company shut down the servers for the software-as-a-service version of its tool as a precautionary measure, despite not having received any reports of a compromise affecting SaaS and hosted customers. Attackers behind the ransomware attack are disabling administrative access to VSA once they have access to the victim network, complicating efforts to contain and remove the ransomware. It is not yet known how the attackers compromised the tool, or just how widespread is the attack.Įnterprises running Kaseya VSA remote monitoring and management tools should shut down servers running the service immediately, Fred Voccola, CEO of IT company Kaseya said in a warning posted on Friday. Where does your enterprise stand on the AI adoption curve? Take our AI survey to find out.Ī ransomware gang has successfully encrypted the files of more than 200 businesses after compromising a remote IT monitoring and management tool as part of a supply chain attack.