Globally, a new ransomware attack hit thousands of organizations that use a remote management tool called Kaseya. The extent of the attack is just now becoming apparent, and the scope continues to grow.

Who is attacking and how?

The REvil ransomware gang, based in Russia, launched the attack. REvil used a sophisticated chain of exploits that included a vulnerability in the Kaseya VSA (virtual system administration) tool. Managed IT service providers (MSPs) that use the VSA tool then unknowingly distributed the compromised version to their customers. REvil then had an open door into those customer networks and launched ransomware attacks. This was a very fast attack, not designed to carefully extort targeted victims, but rather to maximize the criminals’ return using scale and automation. Therefore, the damage has been limited.

What steps should we take?

The basic guidance has been to shut off the VSA tool on all computers where it is installed and wait for the fixed version to be deployed (ETA still TBD). Kaseya has also released a tool that will search for compromised versions of the agent. Network flow and firewall records should be searched for suspicious outbound connections from systems with the VSA installed. DHS/CISA and the FBI have published a list of indicators, and network traffic and systems should be searched for those indicators.


Could we have prevented this?

This attack utilized what is known as a “zero-day” vulnerability, which means there was no update or patch at the time the attack was identified as underway, and therefore could not have been prevented through tools that detect “known” malware. Network monitoring and analysis may identify aberrational behaviour, but this would be after the fact, with the extortion already underway.

If nothing has happened so far, are we okay?

If an organization was compromised using the VSA tool, criminals could have installed other tools for future access, and possibly on other systems inside the network. Organizations must still monitor very closely for signs of an attack in the coming weeks, as well as prepare to minimize the impact if one occurs.

If we don’t use Kaseya, are we okay?

This attack only impacts Kaseya users, but since this is the second time REvil has gotten into networks through 3rd party software updates, all organizations should see this as a future avenue of attack and prepare.

What we will do going forward

  • Review backups to ensure their availability and integrity.
  • Prepare duplicates of critical operation servers and disconnect them from the network, reviewing incident response, insurance, and availability of external resources
  • Obtain all indicators being distributed, and searching for those indicators in logs and network traffic, including the Kaseya identification tool
  • Monitor media and government sources for information and set up an assessment through Mid-Range for you.

Other Articles

Account Executive, Job Opp: Project Manager

Job Opp: Project Manager

This Account Executive will have a territory of current named JD Edwards customers in Eastern Canada and select USA-based customers as the leads are…

Account Executive, Job Opp: Software Sales Executive

Job Opp: Software Sales Executive

This Account Executive will have a territory of current named JD Edwards customers in Eastern Canada and select USA-based customers as the leads are…

Information Flow, Message from the Mid-Range Team

Message from the Mid-Range Team

Holiday message to our customers and partners for this holiday season.

Information Flow, [Part 3] IBM Power in the Cloud: Considerations and Practical Realities

[Part 3] IBM Power in the Cloud: Considerations and Practical Realities

When evaluating the move from on-premise to the cloud, IBM Power customers across various industries typically ask the same two questions. What stays…

Business man laptop options

[Part 2] Getting from Power On-Prem to Hybrid or Full Cloud: What it actually takes

Many IBM Power on-premise customers make the move to the cloud for the opportunity to worry less about their hardware components and related…

Information Flow, [Part 1] The Road to Power Cloud: June 21st, 1988, to Power10. The Journey Continues.

[Part 1] The Road to Power Cloud: June 21st, 1988, to Power10. The Journey Continues.

For over twenty years, IBM was “king,” dominating the large computer market. By the 1980s, the world had woken up to the fact that the IBM mainframe…

Job, Job Opp: Technical Operations Specialist (x86)

Job Opp: Technical Operations Specialist (x86)

This position works within the team responsible to provide I.T. Managed Services to our x86-based customer systems, in accordance with service…

Job, Job Opp: Technical Specialist (IBMi)

Job Opp: Technical Specialist (IBMi)

Deliver technical support and services to Mid-Range Managed Services customer systems in accordance with their contracted agreement.  This position…

business continuity, Encryption Options on IBM i

Encryption Options on IBM i

With the increased number of ransomware and malware attacks hitting computer systems both for business and end-users, many organizations are looking…

, Job Opp: Account Manager – Managed Services

Job Opp: Account Manager – Managed Services

We are seeking a motivated Sales Service Coordinator to support our sales team. Your primary responsibilities will be to provide administrative…