Kaseya Clients Encrypted
This US Independence Day weekend, technology solutions provider Kaseya advised they have been the target of a "sophisticated cyberattack”.
This attack impacted users of the on-premise version of the Kaseya VSA patch management tool, with end users are reporting that an automatic update of VSA infected them with the REvil ransomware.
All on-premise Kaseya VSA servers should be turned off and remain offline until further notice
The cyber-breach looks to have been timed for maximum disruption as it emerged on Friday afternoon when companies across the US were clocking off for the long Independence Day weekend.
Kaseya are describing the infiltration of their VSA product as a “localized to a very small number of on-premises customers only", advising that all "all on-premises VSA Servers should continue to remain offline until further instructions".
Outside cybersecurity experts, FireEye, are now working alongside Kaseya and advise customers who experienced ransomware communications from the attackers should not click on any links -- they may be weaponized.
There is a Compromise Detection Tool available to check your network for any indicators of compromise (IoC) being present. You can find this tool on their website or by sending an email to support@kaseya.com with the subject “Compromise Detection Tool Request”.
Fred Voccola, CEO of Kaseya, interviewed on July 4th, surmised “We are confident we know how it happened and we are remediating it". Kaseya engaged with the FBI and DHS and are working with them on an incident-handling process for our worldwide customers impacted by the cyberattack.
If you feel your systems have been compromised as a result of the Kaseya ransomware incident, shut down your VSA servers immediately, and report your compromise to the relevant authorities (NSCS in UK).
The UK's National Cyber Security Centre said: "We are aware of a cyber incident involving Kaseya, and we are working to fully understand its impact. Ransomware is a growing, global cyber threat, and all organisations should take immediate steps to limit risk and follow our advice on how to put in place robust defences to protect their networks".
The case highlights the growing concern in the cyber-security world about so-called supply chain attacks where hackers are able to claim multiple victims by attacking their supplier.
REvil (also known as Sodinokibi) is one of the most prolific and profitable cyber-criminal groups in the world recently paralysing operations at JBS - the world's largest meat supplier which netted them $11M in ransomware payment, British clothing brand FCUK, and exchange company Travelex last year.
They typically demand payment of a ransom, which (like a parking fine) if not paid within a week - doubles. The group sometimes threatens to post stolen documents on its website - known as the "Happy Blog" - if victims don't comply with its demands.
A cyber-security supply chain attack is where hackers target a company earlier in the supply chain either as they are less protected than the eventual target, or in the case of Kaseya maybe a harder target but allows the hackers to reach multiple end users in a single attack.
Examples of this are retail behemoth Target being infected via their air-conditioner supplier as an easier target, or similar to this Kaseya incident, the NotPetya attack which infecting ubiquitous Ukrainian financial accounts package MEDoc, subsequently infected a large number of companies operating in the country.
No IT Genie client was impacted by this attack
If you are worried about ransomware then watch our “7 critical actions to stop ransomware hitting your business” video https://itgenie.com/webinar-ransomware/
