Kaseya VSA Ransomware Compromise

Cyber Security and Incident Response Advisory – Updated 22 July 2021

Kaseya VSA is a widely used Remote Monitoring and Management tool used to “mitigate or reduce” many of the traditional tasks performed by a field technician. It introduces functions like automation, remote access, inventorying, batch patching, and more.

Beginning Friday, July 2, 2021, Kaseya’s Incident Response team learned of a security incident involving the VSA software. Kaseya initial took the following actions: 

  • Immediately shut down the SaaS servers;
  • Immediately notified customers to shut down their VSA servers to prevent them from being compromised. 
  • Engaged an incident response team and leading industry experts in forensic investigations to help us determine the root cause of the issue;
  • Notified law enforcement and government cybersecurity agencies, including the FBI and CISA.  

Recommendations

  • All On-Premises VSA Servers should continue to remain offline until further instructions from Kaseya about when it is safe to restore operations.
  • A patch will be required to be installed prior to restarting the VSA. As at:
    • 8 July 2021, Kaseya has published a runbook of the changes to make to your on-premises environment so customers can prepare for the patch release. Here is the link to the runbook.
    • 11 July 2021, the On-Premises Patch will be available.
    • 13 July 2021, Kaseya has released VSA version 9.5.7a for their VSA On-Premises software.
    • 16 July 2021, Kaseya will be releasing patch 9.5.7.3011 which remediates functionality issues caused by the enhanced security measures put in place and provides bug fixes (this is not a security release).
  • Customers who experienced ransomware and receive communication from the attackers should not click on any links – they may be weaponised.
  • Review your systems for Indicators of Compromise:

All on-premises VSA Servers should continue to remain offline until further instructions from Kaseya about when it is safe to restore operations.  A patch will be required to be installed prior to restarting the VSA and a set of recommendations on how to increase your security posture. 

On 9 July 2021, Kaseya published a new threat alert involving emails containing phishing links and possibly malicious links or attachments claiming to be Kaseya Partners. The attackers are also making phone calls as part of this campaign. Kaseya warns not to click on links or download attachments and do not respond to phone calls claiming to be a Kaseya Partner.

On 22 July 2021, Kaseya obtained a decryptor for victims of the REvil ransomware attack. Kaseya is working to remediate customers impacted by the incident. Kaseya obtained the tool from a third party and have teams actively helping customers affected by the ransomware to restore their environments, with no reports of any problem or issues associated with the decryptor. Kaseya is working with Emsisoft to support customer engagement efforts, and Emsisoft has confirmed the key is effective at unlocking victims.

We remain committed to ensuring the highest levels of safety for our customers and will continue to update here as more details become available.

Customers who have been impacted by the ransomware will be contacted by Kaseya representatives.

References

Kaseya

Important Notice

Kaseya VSA – Compromise Detection Tool

Government Advisories

CISA – Kaseya Ransomware Attack: Guidance for Affected MSPs and their Customers

CISA-FBI Guidance for MSPs and their Customers Affected by the Kaseya VSA Supply-Chain Ransomware Attack

CISA – Kaseya VSA Supply-Chain Ransomware Attack

FBI – Statement on Kaseya Ransomware Attack

CERT NZ – Kaseya management software being used to deploy ransomware

NCSC – Kaseya VSA supply chain ransomware attack

ACSC – Kaseya VSA Supply-Chain Ransomware Attack


This Advisory is prepared for general guidance and does not constitute formal advice. This information should not be relied on without obtaining specific formal advice. We do not make any representation as to the accuracy or completeness of the information contained within this Advisory. Incident Response Solutions Limited does not accept any liability, responsibility or duty of care for any consequences of you or anyone else acting, or refraining to act, when relying on the information contained in this Bulletin or for any decision based on it.

Traffic Light Protocol = White