Kaseya, provider of remote management and monitoring software, released a patch on July 11 to fix a vulnerability in its server that the Russia-linked REvil group exploited nine days earlier to launch a ransomware attack against managed service providers and their clients.
While 95% of its cloud-based customers have been returned to service, the attack continues to affect Kaseya customers and clients. Some companies continue to struggle as others have begun returning to some semblance of normal business.
La Plata, Maryland-based JustTech, which provides technology services to more than 3,000 customers in six states and Washington DC, had about 100 customers go "completely down" on July 2, says founder and president Joshua Justice. The town offices of two JustTech clients, in North Beach and Leonardtown, Maryland, have acknowledged they were affected in the attack. While the company had clean backups from the morning of the attack, it had no way to easily transfer backups to clients.
So Justice rallied his non-technical employees to ferry hard drives from the company's data centers to those clients' offices. He estimates the work will be done today.
"We had plans to bring clients back and fully recover from situations such as this, but never envisioned we would need to do everyone at once," he says. "As client data is transferred from our secure data centers to hard drives, non-IT JustTech team members have been runners of clients' data and taken the hard drives to a client's location to meet a JustTech IT team member for reinstallation."
JustTech is a single customer of Kaseya and accounts for 100 affected organizations. This suggests if 30 to 70 Kaseya customers were affected, as current estimates indicate, the number of downstream businesses could easily exceed the 1,500 to 2,000 total organizations estimated to be affected. Danish managed service provider VelzArt, for example, reportedly had 200 to 300 clients affected by the attack. Kaseya reportedly estimated about 70% of its affected customers were managed service providers, a fact that could have a significant multiplicative affect on the total number of businesses impacted.
The remaining 30% are Kaseya users such as Virginia Tech, which ran an on-premise version of the vulnerable Virtual Server Administrator (VSA) server. The university does not have downstream clients, but the attack did result in about 600 systems being encrypted with ransomware, according to a local news account.
Dutch technology service provider Hoppenbrouwers Techniek also revealed that about 1,500 to 2,000 systems had likely been impacted. The company required employees to bring their system into the office to have technicians reinstall the operating system and restore data. It's unclear whether the itss business clients were also affected.
Kaseya released a patch for the standalone servers on Sunday then worked throughout the day and night to patch its cloud service, which has more than 30,000 customers.
"As posted in the previous update we released the patch to VSA On-Premises customers and began deploying to our VSA SaaS Infrastructure prior to the 4:00 PM target," the company stated in a 3 AM ET post on Monday, July 12. "The restoration of services is progressing, with 95% of our SaaS customers live and servers coming online for the rest of our customers in the coming hours."
The company faced renewed scrutiny this weekend following reports that employees had previously brought significant security issues to the attention of executives. In 2019, an employee provided Kaseya with a 40-page memo outlining security concerns, Bloomberg reported on July 10. The employee was subsequently fired, the report stated.
Kaseya also reportedly moved a significant amount of development to Belarus, a country with close ties to Russia and recently the focus of an outcry after it diverted a Ryanair flight to arrest a journalist.
The ransomware attack has divided victims into two camps: Those organizations with good backup procedures and those without. Swedish grocery store chain Coop reopened its stores last week after the attack took down stores' payment systems. The company quickly scaled up its own payment system from a pilot to more than 300 stores.
"Coop has made large IT and security investments in recent years, but we can state that we need to do more," officials said in a statement (translated via Google). "This is an attack on society at large, and not just Swedish society, and also rare in its kind in its size."
Not all businesses had complete backups of their systems, Danish MSP VelzArt reported. The service provider stated on July 8 that all servers, server-connected workstations, and companies with backups have recovered their data, but that many remote workers did not have backups and will not be able to recover their data.
The only hope, the company wrote in its blog (translated via Google) is for the keys to be recovered.
"Previous large-scale ransomware attacks have shown that in some cases there is eventually a key that can undo the encryption — it is not clear at the moment whether this key will be released and when," the company reported. "Given the fact that many companies in a country such as America have been affected, we hope for this, but perhaps against the better. We don't know about this either, unfortunately."