Globally, a new ransomware attack hit thousands of organizations that use a remote management tool called Kaseya. The extent of the attack is just now becoming apparent, and the scope continues to grow.

Who is attacking and how?

The REvil ransomware gang, based in Russia, launched the attack. REvil used a sophisticated chain of exploits that included a vulnerability in the Kaseya VSA (virtual system administration) tool. Managed IT service providers (MSPs) that use the VSA tool then unknowingly distributed the compromised version to their customers. REvil then had an open door into those customer networks and launched ransomware attacks. This was a very fast attack, not designed to carefully extort targeted victims, but rather to maximize the criminals’ return using scale and automation. Therefore, the damage has been limited.

What steps should we take?

The basic guidance has been to shut off the VSA tool on all computers where it is installed and wait for the fixed version to be deployed (ETA still TBD). Kaseya has also released a tool that will search for compromised versions of the agent. Network flow and firewall records should be searched for suspicious outbound connections from systems with the VSA installed. DHS/CISA and the FBI have published a list of indicators, and network traffic and systems should be searched for those indicators.


Could we have prevented this?

This attack utilized what is known as a “zero-day” vulnerability, which means there was no update or patch at the time the attack was identified as underway, and therefore could not have been prevented through tools that detect “known” malware. Network monitoring and analysis may identify aberrational behaviour, but this would be after the fact, with the extortion already underway.

If nothing has happened so far, are we okay?

If an organization was compromised using the VSA tool, criminals could have installed other tools for future access, and possibly on other systems inside the network. Organizations must still monitor very closely for signs of an attack in the coming weeks, as well as prepare to minimize the impact if one occurs.

If we don’t use Kaseya, are we okay?

This attack only impacts Kaseya users, but since this is the second time REvil has gotten into networks through 3rd party software updates, all organizations should see this as a future avenue of attack and prepare.

What we will do going forward

  • Review backups to ensure their availability and integrity.
  • Prepare duplicates of critical operation servers and disconnect them from the network, reviewing incident response, insurance, and availability of external resources
  • Obtain all indicators being distributed, and searching for those indicators in logs and network traffic, including the Kaseya identification tool
  • Monitor media and government sources for information and set up an assessment through Mid-Range for you.

Other Articles

, Maintaining Data Center Hygiene: Our Comprehensive Approach at Mid-Range

Maintaining Data Center Hygiene: Our Comprehensive Approach at Mid-Range

In the fast-paced and interconnected digital landscape, data centers have become the nerve centers that power our modern world. These facilities…

, Debunking the Top 5 Myths about Migrating to the Cloud: Insights for IT Decision Makers

Debunking the Top 5 Myths about Migrating to the Cloud: Insights for IT Decision Makers

Debunking common myths about cloud migration to unlock its potential. Simplified processes, robust security, cost savings, and performance…

Immutable Backup, Why Your Business Needs Immutable Backups Today

Why Your Business Needs Immutable Backups Today

Immutable backups are an essential tool for any organization that wants to ensure the integrity and recoverability of its critical data. IBM…

Job, Job Opp: Technical Specialist (IBM i)

Job Opp: Technical Specialist (IBM i)

Deliver technical support and services to Mid-Range Managed Services customer systems in accordance with their contracted agreement.  This position…

Message from the Mid-Range Team

Holiday message to our customers and partners for this holiday season.

Account Executive, Job Opp: Software Sales Executive

Job Opp: Software Sales Executive

This Account Executive will have a territory of current named JD Edwards customers in Eastern Canada and select USA-based customers as the leads are…

Information Flow, Message from the Mid-Range Team

Message from the Mid-Range Team

Holiday message to our customers and partners for this holiday season.

Information Flow, [Part 3] IBM Power in the Cloud: Considerations and Practical Realities

[Part 3] IBM Power in the Cloud: Considerations and Practical Realities

When evaluating the move from on-premise to the cloud, IBM Power customers across various industries typically ask the same two questions. What stays…