On Friday, July 2, it was announced that some VSA servers of the security software provider Kaseya had spread ransomware via a hijacked software update. Kaseya has already informed about the potential attack on its VSA software and has already shut down the cloud-based version for this reason. Despite the immediate measures, hackers were able to attack up to 40 Kaseya customers.
What happened?
The Russian hacker group “REvil” initiated the ransomware attack by means of a supply chain attack, i.e. an intervention in supply chains. This allowed them to launch a large number of Kaseya installations and install ransomware on MSP customers’ IT environments. The affected victims are small to medium-sized companies. As a result of the attack, there has been a major loss of data for affected customers, and in some cases the computers have become completely unusable.
Due to this attack, large companies in Sweden such as Coop, St1 Energy and Swedish Railways were affected by the hack. Millions of people were sometimes unable to pay for food, gasoline, medicine or even train tickets with cash.
What can you do to protect yourself?
We recommend that all vendors using Kaseya VSA software in their infrastructure shut down their VSA servers immediately. All on-premises VSA servers should remain offline until you receive further instructions from Kaseya.
SaaS and hosted VSA servers will be brought back into service once Kayseya determines that it is safe to restart the systems.
Customers can request a new Compromise Detection Tool from Kaseya VSA by sending an email to support@kaseya.com with the subject “Compromise Detection Tool Request.”
Kaseya emphasizes that a patch of the affected server is not enough:
If you have any questions, please feel free to contact Perseus Emergency Assistance.
