Globally, a new ransomware attack hit thousands of organizations that use a remote management tool called Kaseya. The extent of the attack is just now becoming apparent, and the scope continues to grow.

Who is attacking and how?

The REvil ransomware gang, based in Russia, launched the attack. REvil used a sophisticated chain of exploits that included a vulnerability in the Kaseya VSA (virtual system administration) tool. Managed IT service providers (MSPs) that use the VSA tool then unknowingly distributed the compromised version to their customers. REvil then had an open door into those customer networks and launched ransomware attacks. This was a very fast attack, not designed to carefully extort targeted victims, but rather to maximize the criminals’ return using scale and automation. Therefore, the damage has been limited.

What steps should we take?

The basic guidance has been to shut off the VSA tool on all computers where it is installed and wait for the fixed version to be deployed (ETA still TBD). Kaseya has also released a tool that will search for compromised versions of the agent. Network flow and firewall records should be searched for suspicious outbound connections from systems with the VSA installed. DHS/CISA and the FBI have published a list of indicators, and network traffic and systems should be searched for those indicators.


Could we have prevented this?

This attack utilized what is known as a “zero-day” vulnerability, which means there was no update or patch at the time the attack was identified as underway, and therefore could not have been prevented through tools that detect “known” malware. Network monitoring and analysis may identify aberrational behaviour, but this would be after the fact, with the extortion already underway.

If nothing has happened so far, are we okay?

If an organization was compromised using the VSA tool, criminals could have installed other tools for future access, and possibly on other systems inside the network. Organizations must still monitor very closely for signs of an attack in the coming weeks, as well as prepare to minimize the impact if one occurs.

If we don’t use Kaseya, are we okay?

This attack only impacts Kaseya users, but since this is the second time REvil has gotten into networks through 3rd party software updates, all organizations should see this as a future avenue of attack and prepare.

What we will do going forward

  • Review backups to ensure their availability and integrity.
  • Prepare duplicates of critical operation servers and disconnect them from the network, reviewing incident response, insurance, and availability of external resources
  • Obtain all indicators being distributed, and searching for those indicators in logs and network traffic, including the Kaseya identification tool
  • Monitor media and government sources for information and set up an assessment through Mid-Range for you.

Other Articles

Job Opp: IT Solution and Services Architect — IBM Power & Storage

IT Solution and Services Architect – IBM Power and Storage. This position is a senior level role focusing on IT solution presales/sales architecture…

Encryption Options on IBM i

With the increased number of ransomware and malware attacks hitting computer systems both for business and end-users, many organizations are looking…

Solution Decision Information Flow for Better Business Decisions

When thinking about leveraging a Managed Service Provider (MSP) for your business, it is best to answer some simple questions first: Is human…

Are You Running Out of Backup Window?

If you are running out of backup window, here are 3 questions you need to ask yourself: Am I backing up things that I do not need? When was the last…

The Case for Virtual Tape Library (aka VTL)

Any customer looking to upgrade their tape drive or buy a net new one should really take pause and consider VTL

Backup Your Office 365 Data

Veeam® Backup for O365 eliminates the risk of losing access and control over your data including Exchange Online, SharePoint Online OneDrive for…

Veeam Backup for Microsoft Office 365 – Demo Video

Veeam® Backup for Microsoft Office 365 eliminates the risk of losing access and control over your Office 365 data including Exchange Online,…

Responding to a Disaster Using a Framework

Today, to meet the demands of the issues facing your business, the plan must be fluid and more importantly actionable.

The Importance Of Cyber Insurance

I’ve been in the cybersecurity industry for pretty much my entire adult life; it’s the only career I’ve ever had. And yet one of my favorite…

Why Cybersecurity Is So Complicated

When you think of problems people had with cell phones back in the 80s, whether you experienced them firsthand or you’ve seen clips from movies, you…