Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


End of Bibblio RCM includes -->

Cyberattack on Kaseya Nets More Than 1,000 Victims, $70M Ransom Demand

The provider of remote monitoring and management services warns customers to not run its software until a patch is available and manually installed.

A massive supply-chain ransomware attack targeting managed service providers (MSPs) who use the Kaseya Virtual System Administrator (VSA) has left data at more than 1,000 companies encrypted and the attackers demanding $70 million in ransom.

The attack—which the REvil ransomware group launched on July 2, just before the US holiday weekend—exploited multiple vulnerabilities, including a zero-day flaw that was in the process of remediation, according to security firms. REvil, a ransomware-as-a-service group, claims that more than a million systems were compromised and encrypted, and posted a ransomware demand to its blog on Sunday, July 4, saying if it receives the $70 million ransom payment, it will publicly publish the decryptor.

Related Content:

Customers of 3 MSPs Hit in Ransomware Attacks

Special Report: Building the SOC of the Future

New From The Edge: 5 Mistakes That Impact a Security Team's Success

The attack underscores the danger that weaknesses in  business supply chains pose to companies, Adam Meyers, senior vice president of CrowdStrike Intelligence, said in a July 3 statement sent to Dark Reading. 

"Make no mistake, the timing and target of this attack are no coincidence," he said. "It illustrates what we define as a Big Game Hunting attack, launched against a target to maximize impact and profit through a supply chain during a holiday weekend when business defenses are down. What we are seeing now in terms of victims is likely just the tip of the iceberg."

Kaseya and other remote monitoring and management (RMM) providers are ideal targets for attacks, because the software is used by managed service providers and any compromise not only encrypts systems at those firms, but also at their clients' businesses. 

Estimates of the number of victims varied between about 30 managed service providers, according to Huntress Labs, and "fewer than 60 Kaseya customers," according to Kaseya. Yet, the actual impact is much broader, with Huntress Labs estimating more than 1,000 business have been affected, and Kaseya estimating "fewer than 1,500 downstream businesses."

Security firm Kaspersky has detected more than 5,000 attack attempts spread out over 22 countries, the company stated. While the company does not explicitly define "attack attempt," the statistic likely represents attempts to install one of the components of the ransomware at already-compromised businesses as part of the attack chain. Italy topped the list of nations, accounting for more than 45% of attempted ransomware attacks associated with the Kaseya operation, with the United States and Columbia taking the next two positions with about 26% and 15% of the share, respectively.

Kaseya warned MSPs to shut down its software until further notice. 

"All on-premises VSA Servers should continue to remain offline until further instructions from Kaseya about when it is safe to restore operations," Kaseya stated in its latest advisory on the issues. "A patch will be required to be installed prior to restarting the VSA and a set of recommendations on how to increase your security posture. We have been advised by our outside experts, that customers who experienced ransomware and receive communication from the attackers should not click on any links – they may be weaponized."

The US Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA) released guidance for companies, including ensuring backups are up-to-date and moving them to an easily retrievable, off-site location unconnected to the network. In addition, companies should go back to a manual patch management process to shore up defenses, CISA stated. The agency linked to the Kaseya VSA Detection Tool, urging affected MSPs to use the tool to check their systems for signs of the attack.

"CISA and FBI recommend MSP customers affected by this attack take immediate action to implement the following cybersecurity best practices," the advisory stated. "Note: these actions are especially important for MSP customer who do not currently have their RMM service running due to the Kaseya attack."

The attack most likely made use of a zero-day vulnerability in Internet-facing Kaseya VSA servers that many managed service providers installed on premise, according to cybersecurity firm Sophos. This, in turn, gave the attackers access to the systems of the MSPs' clients.

"As Kaseya is primarily used by Managed Service Providers (MSPs) this approach gave the attackers privileged access to the devices of the MSP’s customers," the company said. "Some of the functionality of a VSA Server is the deployment of software and automation of IT tasks. As such, it has a high level of trust on customer devices."

While the investigation into the incident and response to the widespread attack are ongoing, the Dutch Institute for Vulnerability Disclosure (DIVD) has reported that the number of suspected Kaseya VSA instances accessible from the Internet has plummeted from over 2,200 to 140. The DIVD also revealed that a researcher associated with the group, Wietse Boonstra, had "previously identified a number of the zero-day vulnerabilities [CVE-2021-30116] which are currently being used in the ransomware attacks."

DIVD supported Kaseya's response to the attack, saying that the company responded quickly to their disclosure and worked diligently to produce a patch. 

"During the entire process, Kaseya has shown that they were willing to put in the maximum effort and initiative into this case both to get this issue fixed and their customers patched," the group stated in its latest update. "They showed a genuine commitment to do the right thing. Unfortunately, we were beaten by REvil in the final sprint, as they could exploit the vulnerabilities before customers could even patch."

Holiday Hack

The attack coincided with US Independence Day, a long weekend, leaving many companies scrambling. A number of other major attacks have been attributed to REvil, also known as Sodinokibi, such as the attack on JBS USA Holdings, which paid an estimated $11 million to recover its data and systems. In addition, the US government blamed REvil for the attack on local governments and agencies in the state of Texas almost two years ago, which also appears to have involved at least one managed service provider.

Such attacks will continue as long as supply-chain vulnerabilities are easy to exploit, CrowdStrike's Meyers said. 

"The continued success of large software supply chain attacks provides an ominous outlook for organizations of all sizes as threat actors observe how profitable and wide ranging they can be," he said. "Organizations must understand that these headlines are no longer warnings, but are a reality of what is in their future if they have not established a mature cybersecurity strategy."

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
The 10 Most Impactful Types of Vulnerabilities for Enterprises Today
Managing system vulnerabilities is one of the old est - and most frustrating - security challenges that enterprise defenders face. Every software application and hardware device ships with intrinsic flaws - flaws that, if critical enough, attackers can exploit from anywhere in the world. It's crucial that defenders take stock of what areas of the tech stack have the most emerging, and critical, vulnerabilities they must manage. It's not just zero day vulnerabilities. Consider that CISA's Known Exploited Vulnerabilities (KEV) catalog lists vulnerabilitlies in widely used applications that are "actively exploited," and most of them are flaws that were discovered several years ago and have been fixed. There are also emerging vulnerabilities in 5G networks, cloud infrastructure, Edge applications, and firmwares to consider.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2023-03-17
The Bookly plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the full name value in versions up to, and including, 21.5 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that w...
PUBLISHED: 2023-03-17
The WP Express Checkout plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘pec_coupon[code]’ parameter in versions up to, and including, 2.2.8 due to insufficient input sanitization and output escaping. This makes it possible for authenti...
PUBLISHED: 2023-03-17
A vulnerability was found in SourceCodester Student Study Center Desk Management System 1.0. It has been rated as critical. This issue affects the function view_student of the file admin/?page=students/view_student. The manipulation of the argument id with the input 3' AND (SELECT 2100 FROM (SELECT(...
PUBLISHED: 2023-03-17
A vulnerability classified as critical has been found in SourceCodester Student Study Center Desk Management System 1.0. Affected is an unknown function of the file Master.php?f=delete_img of the component POST Parameter Handler. The manipulation of the argument path with the input C%3A%2Ffoo.txt le...
PUBLISHED: 2023-03-17
A vulnerability classified as critical was found in SourceCodester Student Study Center Desk Management System 1.0. Affected by this vulnerability is an unknown functionality of the file admin/?page=reports&date_from=2023-02-17&date_to=2023-03-17 of the component Report Handler. The manipula...